ClawHub

Megan

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only nutrition advisor that discloses local storage of sensitive diet and health details, with no code, network access, or hidden execution behavior found.

Install only on a trusted device if you are comfortable storing body metrics, menstrual or reproductive-health details, allergies, food logs, and hydration data under ~/nutrition-data. Delete that folder when you no longer need the records, and treat nutrition, fasting, supplement, PCOS, pregnancy, or medical-adjacent advice as informational rather than a substitute for a qualified clinician.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very broad everyday phrases such as '今天吃什么', '替换', and '记录饮食', which can cause the skill to activate in contexts the user did not intend. Because this skill collects and stores sensitive health and dietary data, accidental invocation can lead to unnecessary collection, retention, or disclosure of personal information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill collects highly sensitive health data, including reproductive status, menstrual information, PCOS, allergies, and dietary history, and stores it locally without an explicit up-front consent notice before collection. Even if the data is kept on-device, surprise collection and persistence of sensitive medical-style information increases privacy risk, especially on shared machines or environments with weak filesystem protections.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal