Nutrition Claw
v1.0.9Local CLI for tracking nutrition with JSON data, semantic search, configurable goals, food library, meal logging, impact feedback, and YAML output.
⭐ 0· 224·0 current·0 all-time
by@pita
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (local nutrition CLI, semantic search, YAML output) match the included source: commands for configure/goals/food/meal/summary/history, local JSON storage under ~/.nutrition-claw, and a local vector index for semantic search. Dependencies (embeddings, vectra, transformers) are appropriate for the described semantic search capability.
Instruction Scope
SKILL.md instructs the user to run `npm install`, optional build (Bun), and `npm link` to expose the CLI—these steps are needed to run the packaged Node CLI but modify the developer environment (install packages, create a global symlink). SKILL.md and AGENTS.md also mention downloading a local embedding model on first search and copying SKILL.md into an OpenClaw workspace via a sync script; the latter expects a ./scripts/sync-skill.sh which is referenced but not present. Overall the instructions stay within the tool's purpose but require network/native installs and an explicit sync step that writes to the user's OpenClaw workspace if executed.
Install Mechanism
There is no registry install spec in the skill bundle (instruction-only), but SKILL.md tells users to run `npm install` (pulling dependencies) and `npm link`. Dependencies include native components (ONNX runtime mentioned) and large ML libraries (@xenova/transformers, @themaximalist/embeddings.js), which will cause model & binary downloads at install or first-run. These downloads are expected for local embeddings but are higher-risk than a pure JS-only CLI because they fetch and install native/model artifacts.
Credentials
The skill declares no required environment variables, credentials, or config paths. At runtime it uses only HOME (process.env.HOME) to create ~/.nutrition-claw and reads/writes local files there; that is proportionate to a local CLI storing user data.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. It does perform actions that persist data locally (writes JSON and a vectors dir under ~/.nutrition-claw) and recommends `npm link` (creates a global symlink). The AGENTS.md sync instruction would copy SKILL.md into an OpenClaw workspace if the referenced script is run; this is a normal developer convenience but worth noting because it writes into the agent workspace.
Assessment
This package appears to do what it says: a local CLI that stores data under ~/.nutrition-claw and uses a local embedding model for semantic search. Before installing, consider: 1) npm install will pull native/ML libraries (ONNX runtime, transformers, embedding model) and may download large model files on first run—if you want fully offline/no-network behavior, avoid using search features. 2) npm link will create a global CLI symlink and modifies your system Node environment; run in a controlled environment (container or VM) if unsure. 3) The tool writes data to ~/.nutrition-claw (goals.json, foods.json, logs/, vectors/, education.txt); back up or inspect that directory if you care about data placement. 4) AGENTS.md refers to a sync script that would copy SKILL.md into ~/.openclaw/workspace; review or avoid running such scripts unless you trust them. Overall the footprint looks proportionate to the stated purpose; if you want extra assurance, review the package.json/dependencies and run the CLI in an isolated environment before trusting it with real data.Like a lobster shell, security has layers — review code before you run it.
latestvk974qt34zmct1m6nh1p20vwhp182y7c6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.