ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Megan

v4.0.0

科学营养顾问。计算食物热量、TDEE/BMR、宏量营养素分配,结合女性生理周期提供动态饮食建议。支持饮食记录、间歇性断食、碳水循环、GI/GL血糖管理、抗炎饮食、压力-皮质醇营养、反向饮食等。触发词:计算热量、饮食建议、今天吃什么、减脂食谱、增肌食谱、TDEE、BMR、卡路里、记录饮食、查热量、替换、外食指南、补...

0· 50·0 current·0 all-time
byMegan@yamyeed
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (nutrition advisor for calorie/TDEE/macros and cycle-aware advice) aligns with the SKILL.md content. There are no unrelated requested credentials or binaries; the capabilities described match the instructions.
!
Instruction Scope
SKILL.md explicitly instructs the agent to collect personal and sensitive health data (age, weight, body-fat, menstrual cycle, PCOS, pregnancy/ breastfeeding status, etc.) and to persist profiles, daily logs, hydration and habit tracking under '~/nutrition-data/*'. However the registry metadata lists no required config paths or data-handling/retention guarantees. The instructions also mandate auto-generating reports and storing logs, but do not specify encryption, access control, or explicit user consent flows.
Install Mechanism
Instruction-only skill with no install spec and no code files — low surface area for hidden installs or remote code fetches.
Credentials
The skill requests no environment variables, credentials, or external services. That is proportionate to a local nutrition advisor.
Persistence & Privilege
The skill will persist personal health data to files in the user's home directory and generate ongoing logs/reports, but it does not request elevated privileges, does not set always:true, and does not modify other skills. The metadata omission of required config paths and absence of detail about file protections is the main concern.
What to consider before installing
This skill appears to do what it says, but it will collect and save sensitive health data locally (~/nutrition-data/profile.json, daily logs, hydration, etc.). Before installing or enabling it, consider: 1) Confirm whether your agent runtime will actually write to your home folder and whether those files are sandboxed; 2) Ask the author to add declared config paths and a clear data-retention/encryption policy; 3) If you proceed, check and restrict file permissions (e.g., chmod 600), inspect the created files for unexpected content, and back them up or delete them if no longer needed; 4) Do not rely on this skill for medical diagnoses — follow its own disclaimer and consult a registered professional for medical issues; 5) If you are uncomfortable with persistent local storage of sensitive data, do not enable the skill or run it in an isolated account/container. If you want higher assurance, request the author to explicitly declare the config paths in metadata and describe how data is stored and protected.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ahcq3b7php7yj3jr6ms4pps84qy21

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments