饮食行为健康分析工具
ReviewAudited by ClawScan on May 13, 2026.
Overview
The diet analysis purpose is coherent, but sensitive health-report history appears to be accessible using only an open-id such as a username or phone number, with unclear authentication.
Install only if you are comfortable sending meal videos and a user identifier to the configured external service. Use your own open-id only, avoid entering other people’s phone numbers or identifiers, and consider deleting saved attachments after analysis.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could accidentally query or save reports under the wrong identifier, and report access may depend on knowing an identifier rather than a verified account boundary.
The code requires an open-id that may be a username or phone number for listing diet analysis reports, while the API key is not actually marked required in argparse. For sensitive health reports, the artifacts do not clearly show that the open-id is authenticated or belongs to the requester.
parser.add_argument("--open-id", required=True, help="当前用户的OpenID/UserId/用户名/手机号")
parser.add_argument("--list", action='store_true', help="显示饮食行为分析列表清单")
parser.add_argument("--api-key", help="API访问密钥(必需)")Only use your own identifier, and the publisher should require authenticated account/session or scoped API credentials for report history access.
Your uploaded meal video and related analysis identifiers may be sent to an external service.
The shared analysis implementation reads the selected local video and uploads it to the configured provider API. This is purpose-aligned for video analysis, but the data can include faces, homes, meals, and health context.
with open(input_path, 'rb') as f:
file_content = f.read()
files = {
'file': (os.path.basename(input_path), file_content, mime_type)
}
response = self.analysis(params=params, files=files)Upload only videos you have permission to share and review the provider’s privacy, retention, and deletion practices.
Sensitive meal videos may remain stored locally after analysis.
The skill says uploaded attachments or videos are automatically saved under the skill directory. This is scoped and purpose-related, but it creates local persistence for sensitive video content without stated retention or cleanup.
如果用户上传了附件或者视频文件,则自动保存到技能目录下 attachments
Delete saved attachments when no longer needed, and the publisher should document retention and cleanup behavior.
If the skill were switched to the dev environment, sensitive analysis data could be sent to an unexpected private endpoint.
A bundled development config points to a private raw-IP HTTP endpoint. The shown production config is different, so this is not active by default, but it is a provenance/configuration risk if environments are changed.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Keep the skill on verified production endpoints and remove or clearly separate dev-only configuration from published packages.