ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mealplan

v3.0.0

Plan meals with calorie tracking and shopping lists. Use when organizing weekly meals.

0· 238·1 current·1 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the bundled script are consistent: all commands (add, list, plan, nutrition, shopping, random) map to script functions. The data directory documented in SKILL.md matches the script's DATA_DIR.
Instruction Scope
SKILL.md instructs the agent to invoke the included script with simple command-line arguments. The runtime instructions do not request or read unrelated files, environment variables, or external endpoints beyond the local data directory.
Install Mechanism
There is no install spec; the skill is instruction-only with a single bundled script. Nothing is downloaded or extracted during install.
Credentials
The skill requires no environment variables, credentials, or config paths. The script only uses $HOME and standard utilities (date, grep, echo) which is proportional to its purpose.
Persistence & Privilege
The skill is not force-included (always: false) and does not modify other skills or system-wide configs. It stores user data in a single user-local directory (~/.local/share/mealplan), which is expected for this kind of tool.
Assessment
This skill appears coherent and local-only, but review and consider these practical points before installing: (1) it stores all data under ~/.local/share/mealplan — sensitive meal notes will be stored in plain files; (2) the shell script builds JSON by echoing raw user input without escaping and uses unquoted variables in places (grep and data writes), which can cause malformed records or unexpected behavior if you pass unusual characters — this is a robustness/data-integrity issue, not evidence of exfiltration; (3) if you want extra safety, inspect or run the script in a sandbox, or modify it to properly escape/quote inputs and validate arguments before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk976x48rv56c66hff8133z3et58376t0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments