ClawHub

My Fitness Claw

Security checks across malware telemetry and agentic risk

Overview

This is a real local nutrition tracker, but it stores personal diet data broadly and includes under-disclosed browser and networking risks users should review first.

Install only if you are comfortable storing meal and nutrition data in workspace files and agent memory. Prefer opening the offline dashboard file directly; avoid running a web server from the workspace root. Before sharing or publishing, clear both assets/nutrition and root nutrition data, the offline_data.js mirror, and memory files. Treat the micronutrient targets and tips as generic estimates, not medical advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The page imports executable JavaScript from a third-party CDN at runtime, which creates a supply-chain risk: if the CDN, package, or delivery path is compromised, arbitrary code will execute in the dashboard context. In this nutrition-tracking skill, that code could read and manipulate displayed meal, macro, and insight data or make unexpected network requests, and the dependency is not essential to a trusted local-only rendering model.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger condition 'when the user mentions eating something' is broad enough to activate on casual conversation and cause unintended data processing and writes. In a skill that persists nutrition and memory data, overbroad activation increases the chance of collecting or storing personal information without clear user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow directs persistent writes to nutrition logs, offline dashboard data, and daily memory files without an explicit notice or consent step. Because this involves health-related personal data, silent persistence creates privacy risk, surprises users about retention, and expands the footprint of sensitive information across multiple files.

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
The skill applies micronutrient tracking and health insights using a fixed 'general 32-year-old male' profile without confirming the user's age, sex, or suitability. In a nutrition context, this can produce misleading health guidance, normalize incorrect targets, and create safety issues for users whose needs differ materially from that profile.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The dashboard silently contacts an external service to load code without any user-facing disclosure, which creates an unexpected privacy and trust boundary for a chat-controlled health/nutrition tool. Even if the request is only for Chart.js, undisclosed external network access increases exposure to tracking, telemetry, and future abuse if the dependency changes or is compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal