ClawHub

nutricoach 营养专家

Security checks across malware telemetry and agentic risk

Overview

NutriCoach mostly does what it claims, but it handles sensitive health data with under-scoped web, file, and cloud-OCR behaviors that users should review before installing.

Install only if you are comfortable storing health and diet records in local plaintext SQLite files and using an unauthenticated local web dashboard. Run the dashboard only on a trusted machine/network, prefer local OCR for private images, avoid cloud OCR unless you consent to sending photos to the configured provider, use simple usernames, and secure or encrypt exports and backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'--format', 'json'
        ]
        
        match_result = subprocess.run(match_cmd, capture_output=True, text=True, timeout=30)
        match_data = json.loads(match_result.stdout)
        
    finally:
Confidence
91% confidence
Finding
match_result = subprocess.run(match_cmd, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]
        
        try:
            ocr_result = subprocess.run(ocr_cmd, capture_output=True, text=True, timeout=60)
            if ocr_result.returncode != 0:
                return {
                    "status": "error",
Confidence
91% confidence
Finding
ocr_result = subprocess.run(ocr_cmd, capture_output=True, text=True, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = os.path.join(SKILL_DIR, 'scripts', script_name)
    cmd = ['python3', script_path, '--user', user] + list(args)
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        if result.returncode == 0:
            return json.loads(result.stdout)
        else:
Confidence
91% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The restore function accepts any existing filesystem path as input and copies that file into the user's database location, only falling back to the managed backup directory if the provided path does not exist. This bypasses the intended backup boundary and allows restoration from arbitrary local files, which can expose or overwrite application data with attacker-chosen content if an untrusted actor can influence the --file argument.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The database path is built directly from the user-supplied username via os.path.join(data_dir, f"{username}.db") with no validation or canonicalization. A username containing path traversal sequences such as ../ can escape the intended per-user data directory and cause the program to open arbitrary SQLite files accessible to the process, breaking multi-user isolation and potentially exposing or corrupting other data.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
This finding reflects a real security issue, not merely inaccurate comments: the code and surrounding assumptions imply per-user isolation, but the unsafe path construction allows selection of databases outside the intended user scope. In a health-data management skill, that mismatch is especially risky because it can lead to unauthorized access to sensitive dietary and body-metric information from other users or other local SQLite databases.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The database path is built directly from the supplied username with no validation or canonicalization. An attacker can use path traversal sequences such as '../' to escape the intended data directory and cause the code to open arbitrary SQLite files elsewhere under the skill tree, breaking the stated multi-user isolation and potentially exposing or modifying other users' health data if writable database files are reachable.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The stylesheet imports Google Fonts from a third-party domain, which causes clients loading the health-management dashboard to make external network requests. In a health-related application, even passive third-party requests can leak metadata such as IP address, user agent, timing, and page access patterns, creating avoidable privacy exposure that is not strictly necessary for core functionality.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This helper exposes a generic execution primitive to the web layer, effectively turning the dashboard into a broker for running backend scripts. In a nutrition-coaching skill handling personal health data, such a broad capability expands the attack surface and can be abused to invoke unintended functionality or access sensitive per-user data via scripts not meant for direct web triggering.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes a cloud OCR option ('Kimi Vision') for food-image scanning but does not disclose that images and potentially sensitive health-related packaging or meal data may be transmitted to a third-party service. In a health-data skill, this omission can cause users or integrators to unknowingly send personal data off-device, creating privacy, consent, and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes export, backup, and restore workflows for per-user SQLite databases containing personal health and diet records without warning that exported files and restored databases can expose sensitive data or overwrite current records. Users may mishandle unencrypted exports or perform unsafe restores, leading to confidentiality loss or accidental data destruction.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cloud OCR workflow instructs users to send food images and related metadata to third-party vision providers, but the documentation does not clearly warn that images may contain personal, health, or household information. Because this skill handles nutrition, pantry, and health tracking, uploaded images and extracted text can reveal sensitive lifestyle and medical-adjacent data to external services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The architecture explicitly stores highly sensitive health data in per-user local SQLite files and documents a 365-day retention default, but it does not mention user notice, consent, or controls for persistence, retention, and deletion. In a health-data skill, undisclosed local storage increases privacy risk because users may assume conversational input is ephemeral when it is actually retained on disk and backed up/exported.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The meal logging flow shows photos being sent through a Vision API path, but the documentation does not warn that meal images and possibly extracted nutritional data may leave the local environment and be processed by a third party. Because this skill handles health-related dietary information, silent external processing creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to use cloud OCR with a third-party API and even provides configuration details, but it does not clearly warn that food package photos and extracted data may be transmitted off-device to external providers. In a health and diet skill, uploaded images can contain sensitive personal or household information, so omission of a privacy/transmission notice can mislead users about where their data is going.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When no match is found, the code automatically inserts a new food record derived from OCR output without confirmation, review, or validation. In a personal health/nutrition system, attacker-controlled or erroneous OCR data can silently poison the user's food database, causing incorrect nutrition tracking, misleading recommendations, and integrity loss in health-related records.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When cloud OCR is selected, the script base64-encodes the full image and sends it to a remote API endpoint, but the execution flow provides no explicit privacy warning, consent gate, or clear disclosure at runtime. In a health-related skill, food packaging photos may contain sensitive contextual information, and silent transmission to third-party services increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The logger persists user-specific health-related activity, including scanned products and optional barcodes, to local disk in plaintext JSON lines without any evident consent, minimization, retention, or access-control safeguards. In a nutrition and health coach context, this can expose sensitive behavioral and dietary data to other local users, backups, or logs processors, creating privacy and compliance risk even if there is no direct code execution issue.

External Transmission

Medium
Category
Data Exfiltration
Content
```yaml
vision:
  api_key: "your-api-key"
  base_url: "https://api.moonshot.cn/v1"
  model: "kimi-k2.5"
```
Confidence
88% confidence
Finding
https://api.moonshot.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
```yaml
vision:
  api_key: "sk-xxxxx"
  base_url: "https://api.moonshot.cn/v1"
  model: "kimi-k2.5"
```
Confidence
88% confidence
Finding
https://api.moonshot.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal