Skillv1.0.0

ClawScan security

Calorie Visualizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 17, 2026, 12:24 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with a local calorie-logging and image-reporting tool; there are no unexplained credentials, hidden network endpoints, or high-risk install steps.
Guidance: This appears to be a local-only calorie logging/reporting skill that stores data in calorie_data.db and writes daily_report.png inside the skill folder. Before installing: 1) Review whether you’re comfortable the tool will read USER.md in your repository (or any path you set via CALORIE_VIS_USER_MD) to compute TDEE, 2) only set USDA_API_KEY if you want online lookup (it is optional), 3) ensure you have a system Chromium/Chrome runtime for html2image and install the Python deps via requirements.txt, and 4) if you have privacy concerns, inspect the scripts (they are included) — there are no hidden network endpoints or obfuscated code. If you want extra assurance, run the scripts in an isolated environment (container or VM) first.

Review Dimensions

Purpose & Capability: okName/description (local calorie logging + visual reports) match the code and files: CLI for adding entries, local SQLite DB, local food DB, renderer that produces a PNG. Declared runtime (python3, html2image + Pillow, local Chromium) is proportional to the reported functionality.
Instruction Scope: noteSKILL.md and the CLI instruct only local operations (write to calorie_data.db, regenerate local report, output REPORT_IMAGE:<path>). The code also reads USER.md (two directories up by default) to compute TDEE — this is documented in the README/SKILL.md, but it means the skill will attempt to read a workspace-level USER.md for profile data. That behavior is consistent with the feature but is a privacy-sensitive read that users should be aware of. The only external network call is an optional USDA API lookup when USDA_API_KEY is set.
Install Mechanism: okThere is no opaque download/install script. The repo contains Python scripts and a requirements.txt; the install instructions are to pip install the listed dependencies (html2image, Pillow). This is a low-risk, standard install path. html2image uses a system Chromium runtime (documented).
Credentials: noteNo required environment variables are declared. The code optionally reads USDA_API_KEY (for online food lookup) and CALORIE_VIS_USER_MD (an override path for the USER.md file). Both are reasonable for their purposes, but CALORIE_VIS_USER_MD lets a user-supplied path be read — only set it if you trust the skill. No unrelated secrets or credentials are requested.
Persistence & Privilege: okThe skill does not request always:true and will not auto-enable itself. It writes local files inside the skill directory (calorie_data.db, daily_report.png, and updates data/food_database.json) which is expected for local persistence. It does not modify other skills or global agent settings.