Nutrition Claw
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its local nutrition-tracking purpose, but its date argument is used unsafely in file paths and could let crafted input write outside the intended log folder.
Use caution before installing. The skill appears designed to work locally and does not show exfiltration, but it should validate date inputs before writing files. If you use it anyway, only pass normal YYYY-MM-DD dates, install dependencies from a trusted source, and remember that your nutrition history is stored locally in plaintext.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken date value could corrupt this skill's own files, such as goals or foods, or potentially affect other writable .json files under the user's account.
The date value is incorporated directly into a filesystem path. Since command code only requires that a date be present and does not enforce YYYY-MM-DD or reject path separators, a crafted date containing '../' could read or write .json files outside the intended logs directory.
const LOGS_DIR = join(BASE_DIR, 'logs'); ... function logPath(date: string): string { return join(LOGS_DIR, `${date}.json`); } ... export function writeDayLog(date: string, log: DayLog): void { writeJson(logPath(date), log); }Validate dates with a strict YYYY-MM-DD regex, reject path separators, and use a resolved-path containment check before reading or writing log files.
Installing or building the skill fetches third-party packages, so the installed code may depend on external package integrity and registry behavior.
The CLI depends on external npm packages with version ranges, including embedding/model libraries. This is purpose-aligned for the CLI and local semantic search, but installs may resolve different dependency code over time.
"dependencies": { "@inquirer/prompts": "^7.5.2", "@themaximalist/embeddings.js": "^0.1.3", "@xenova/transformers": "^2.17.2", ... }, "devDependencies": { "@types/bun": "latest", "typescript": "^5.8.2" }Install from a trusted source, avoid running installation as an administrator, and prefer a reviewed lockfile or pinned dependency versions for reproducible installs.
Meal history, nutrition goals, and food records remain on disk in the user's home directory and may be included in backups or visible to other local processes/users depending on system permissions.
The skill persistently stores personal nutrition data and a local vector index. This is disclosed and aligned with the purpose, but it is still sensitive user data that can be reused in later searches and outputs.
All data is stored locally in `~/.nutrition-claw/`: ... `goals.json` ... `foods.json` ... `logs/` ... `vectors/`
Treat the folder as private health data, protect local account access, and delete `~/.nutrition-claw/` if you want to remove the stored history.