Back to skill
Skillv1.0.0
ClawScan security
Luna Calorie Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 6:22 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its stated purpose (image-based calorie estimation and storing results in the agent's memory); it only needs an LLM API key and uses the agent's memory files for persistence.
- Guidance
- This skill appears internally coherent, but before installing consider: (1) it requires an LLM API key (OPENAI_API_KEY) and will send food photos and metadata to the configured model provider—ensure you're comfortable transmitting sensitive images and health data to that provider; (2) meal data and goals are stored persistently in the agent's memory files (memory/YYYY-MM-DD.md and MEMORY.md), so review or delete those files if you want to remove historical data; (3) the README mentions multiple providers but the skill declares OPENAI_API_KEY — confirm how your agent maps provider credentials and whether any additional configuration is needed; (4) because this is instruction-only, the actual behavior depends on your agent implementation of vision, memory storage, and memory_search; review those platform components and permissions if you need stricter privacy controls.
Review Dimensions
- Purpose & Capability
- okThe name/description (image-based calorie tracking) match the declared requirement (OPENAI_API_KEY) and the SKILL.md instructions (use vision-capable LLM to identify foods, estimate portions/macros, and store results). There are no unrelated environment variables, binaries, or configuration paths requested.
- Instruction Scope
- okThe SKILL.md stays within scope: it instructs the agent to analyze images with its vision capability, produce structured summaries, and read/write memory files under memory/YYYY-MM-DD.md and MEMORY.md. It does not ask the agent to read unrelated system files, access other credentials, or call external endpoints besides the configured model provider (implied).
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk by the skill itself. That minimizes install-time risk.
- Credentials
- noteOnly OPENAI_API_KEY is required, which is proportionate for a skill that uses a remote vision-capable LLM. The README mentions other providers (Claude, Gemini) but the registry metadata declares OPENAI_API_KEY as primary — a minor inconsistency but not a security red flag. Be aware that the API key will be used to send images and text to the LLM provider.
- Persistence & Privilege
- okalways is false (not force-enabled). The skill reads and writes only its own memory files (daily logs and MEMORY.md) in the agent workspace; it does not request system-wide configuration changes or other skills' credentials.