Back to skill
Skillv1.7.0
ClawScan security
My Fitness Claw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 12:52 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested files, tools, and runtime instructions align with a local nutrition-tracking dashboard; nothing in the package appears disproportionate or unrelated to its stated purpose.
- Guidance
- This skill is coherent with its stated purpose, but it stores personal meal data in workspace files and the agent memory directory. Before using or publishing: (1) review and back up any existing memory/ or nutrition/ files you care about; (2) understand that the dashboard loads Chart.js from a public CDN when opened in a browser; (3) if you plan to share the skill, follow the included publishing checklist to sanitize daily_macros.json, offline_data.js, insights.json, targets.json, and memory/ to avoid leaking personal information.
Review Dimensions
- Purpose & Capability
- okName and description (nutrition logging, macros/micros, dashboard) match the declared tools (canvas, read, write, edit) and the files present (nutrition/, canvas/, assets/). There are no unrelated binaries or external credentials requested.
- Instruction Scope
- noteInstructions direct the agent to read/write JSON under assets/nutrition/ and to write an offline mirror (assets/canvas/offline_data.js) and a memory file (memory/YYYY-MM-DD.md). This is consistent with a logging/dashboard skill, but it does mean the agent will persist user-provided meal data into workspace files and the agent memory directory as part of normal operation.
- Install Mechanism
- okNo install spec; the skill is instruction-only with small static assets and an offline_data.js mirror. The only external resource is Chart.js pulled from jsdelivr when the dashboard is opened in a browser, which is expected for a web dashboard.
- Credentials
- okThe skill requests no environment variables or external credentials. It declares the exact paths it will touch (nutrition/, canvas/, memory/), and the SKILL.md uses only those paths.
- Persistence & Privilege
- okalways is false and model invocation is allowed (defaults). The skill writes its own assets and memory files (normal for a local logging skill). It does not request permanent platform-wide privileges or modify other skills' configurations.