My Fitness Claw
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real local nutrition tracker, but its dashboard and data-storage instructions create privacy and safety issues that users should review before installing.
Install only if you are comfortable storing meal and health-related data in this workspace. Prefer the offline dashboard, avoid running a web server from the workspace root, and clear all nutrition, mirror, and memory files before sharing. The maintainer should also bundle or pin the dashboard dependency and fix the unsafe HTML rendering.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user runs this command, other files in the workspace may become reachable through the local web server, not just the nutrition dashboard.
This recommends serving the entire workspace root to view one dashboard. Python's simple HTTP server can expose more files than intended, and the instruction does not advise serving only the skill directory or binding access tightly.
Run `python -m http.server 8000` from the workspace root and visit `http://localhost:8000/skills/my-fitness-claw/assets/canvas/index.html`.
Serve only the dashboard directory, bind explicitly to localhost, or document the exposure risk; prefer the file:// offline view when possible.
Opening the dashboard contacts a third-party CDN and runs external JavaScript that would have page-level access if the dependency or CDN were compromised.
The dashboard loads a remote, unpinned third-party script at runtime. That script runs in the same page that displays nutrition data, while the README presents the skill as fully local and private.
<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
Bundle a reviewed local Chart.js file, pin an exact version with integrity metadata, and disclose any network dependency clearly.
A user trying to sanitize the skill before sharing could clear the wrong files and accidentally publish personal meal or health data.
The workflow writes canonical and mirrored data under `assets/...`, but the publishing checklist tells users to clear similarly named root paths. This mismatch can leave the actual stored nutrition data behind when sharing or publishing.
Update `assets/nutrition/daily_macros.json` ... Update `assets/canvas/offline_data.js` ... Clear `nutrition/daily_macros.json` ... Clear `canvas/offline_data.js`
Use one canonical data location, remove duplicate stale paths, and update the cleanup checklist to clear every persisted data copy, including the offline mirror and memory files.
A malicious or accidental meal entry containing HTML could run script in the dashboard page when opened.
The included dashboard writes meal names into HTML using `innerHTML`. Meal names are derived from natural-language food logs, so HTML or script-like content could be rendered as code instead of text.
logContent.innerHTML += `... <div class="log-food">${meal.food}</div> ...`;Render meal names and other log fields with `textContent` or escaped DOM nodes instead of concatenating untrusted values into `innerHTML`.
Your eating habits and nutrition targets may remain in local memory files after the chat ends.
The skill intentionally persists meal history in agent memory in addition to JSON files. This is aligned with the nutrition-tracking purpose, but the data is personal and may be reused or retained across sessions.
Update Memory: Log the meal in the agent's current daily memory file (e.g., `memory/YYYY-MM-DD.md`).
Review and clear the memory folder when you no longer want the history retained, especially before sharing the workspace or skill.