ClawHub

Luna Calorie Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward calorie-tracking skill that analyzes meal photos and stores nutrition logs as advertised, with privacy considerations users should understand.

Install only if you are comfortable with meal photos being handled by your configured vision model and with food history, nutrition estimates, and calorie goals remaining in OpenClaw memory until you delete them. Be cautious on shared or synced machines, and inspect the external GitHub repository if using the manual clone installation path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly says meal entries are stored persistently in memory files, but it does not warn users that this creates a retained record of potentially sensitive health and dietary information. Because calorie logs and food history can reveal health conditions, routines, religion, or lifestyle patterns, silent persistence increases privacy risk and may lead users to share data they would not have shared if retention were clearly disclosed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README requires a vision-capable LLM provider and API key, implying that food photos are transmitted to a third-party model service, but it does not clearly warn users about that data flow. Images may contain faces, location clues, medical or dietary information, and metadata, so undisclosed transmission to external providers creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill persistently stores sensitive health-related data, including inferred dietary habits and calorie goals, into memory files without any explicit disclosure, consent flow, or retention guidance. Even if this is core functionality, silent persistence of nutrition data increases privacy risk and can surprise users who may not expect long-term storage or later retrieval via history commands.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The `/calories undo` command instructs the agent to remove the last logged meal from today's memory file with no confirmation, preview, or recovery mechanism. Because this mutates persistent records, an accidental invocation or ambiguous parsing could destroy user health-tracking data and corrupt daily totals.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal