nutricoach 营养专家

This skill appears to implement what it claims (local meal/pantry tracking, recipe suggestions, OCR wrappers and a local dashboard). Before installing and running: - If you want to use OCR cloud services, be aware that you will need to provide an API key (e.g., OPENAI_API_KEY or a Kimi Vision key) — only enable cloud OCR if you trust the external provider and accept that images/nutrition data may be sent off-device. The skill's metadata does not declare those env vars explicitly. - The code includes a HARDCODING_AUDIT pointing out many hardcoded row indices and other brittle code; this is an engineering quality issue (risk of bugs/corrupted exports) but not malicious. Review/patch db_schema usage before relying on it in production. - The web dashboard template pulls Chart.js from a CDN and the UI may request external assets; if you need an offline deployment, host those assets locally. - Data is stored in the skill's data/backups directories (relative to the skill). Backups are local copies of the DB — ensure you store backups securely (they contain sensitive health data). - Recommended: run the code in an isolated environment (virtualenv/container), review any optional OCR integration code paths you plan to enable, and inspect or run the test suite included to validate behaviour on your platform. If you want, I can: (a) scan specific files for network calls and exact locations where OPENAI_API_KEY or other env vars are read, (b) list all code locations that call subprocess/network, or (c) point out the highest-risk lines that should be reviewed/changed before deployment.