ClawHub

Nutrition tracking

v1.0.0

AI-powered nutrition coach and health tracker (powered by Haver). Log food with natural language, track calories and macros, monitor weight, get AI coaching,...

0· 448·1 current·1 all-time
byYuri.v9v@yuvasee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AI nutrition coach) aligns with the documented API calls and flows: logging food, weight, summaries, XP, onboarding, and chat. Endpoints and behavior described match the stated purpose.
Instruction Scope
SKILL.md instructs the agent to call only Haver API endpoints and to relay returned messages; it does not ask for unrelated system files or unrelated credentials. However the runtime instructions reference an environment variable HAVER_API_URL (default https://haver.dev) and instruct the agent to 'Save the apiKey immediately as persistent memory' — these actions affect agent state and are not declared in the skill metadata.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing is downloaded or written to disk by an installer.
!
Credentials
The skill requires a per-user API key (prefixed 'hv_') to operate and explicitly instructs saving that key into persistent memory. The registry metadata shows no declared required env vars or primary credential, and the skill did not declare persistence of secrets. Storing long-lived secrets in agent memory increases risk of accidental exposure or reuse across contexts and should be justified/explicitly consented to by the user.
Persistence & Privilege
always:false (normal). However the instruction to persist the API key combined with the platform's normal autonomous invocation means the agent could make API calls later without the user's interactive consent. This is coherent for a personal coach but raises privacy/long-term access considerations the user should accept explicitly.
What to consider before installing
This skill behaves like a normal nutrition-tracking integration and will register users with Haver and store a per-user API key (hv_...) so it can call the Haver API on the user's behalf. Before installing, consider: 1) Are you comfortable the agent will persist a long-lived API key in its memory? That key gives ongoing access to your nutrition data on haver.dev. 2) Verify the service (https://haver.dev) is legitimate and that you trust its privacy policy and data handling. 3) Prefer explicit consent and, if possible, scoped/short-lived credentials rather than storing a permanent API key. 4) Note that re-registering rotates/invalidates keys — automatic re-registration could break other devices. If you accept these trade-offs (persistent credential storage and autonomous calls to haver.dev), the skill appears coherent; if not, avoid installing or request the skill be modified to use ephemeral tokens or explicit user-provided credentials each session.

Like a lobster shell, security has layers — review code before you run it.

caloriesvk97bghesrsref7yzzgkn264eg581jqbpcoachingvk97bghesrsref7yzzgkn264eg581jqbpdietvk97bghesrsref7yzzgkn264eg581jqbpfood-trackingvk97bghesrsref7yzzgkn264eg581jqbphealthvk97bghesrsref7yzzgkn264eg581jqbplatestvk97bghesrsref7yzzgkn264eg581jqbpmacrosvk97bghesrsref7yzzgkn264eg581jqbpnutritionvk97bghesrsref7yzzgkn264eg581jqbpweightvk97bghesrsref7yzzgkn264eg581jqbp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🥑 Clawdis

Comments