ClawHub

Nutrition tracking

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Haver nutrition-tracking skill, but it sends and stores sensitive diet, weight, profile, and optional image data with Haver.

Install only if you are comfortable using Haver as the backend for nutrition and weight tracking. Treat the hv_ API key like a password, avoid sending photos or health details you do not want stored, and be explicit when a food mention is only discussion rather than something to log.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The skill instructs the agent to set the user's language automatically based on platform knowledge without asking or confirming. This can override user preference and process inferred personal data without explicit consent, which is especially sensitive in a health-tracking context where profile and nutrition data are linked to a persistent identity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The chat endpoint explicitly states that the AI can detect and log food mentioned in conversation, creating a hidden write side effect from what appears to be a read/advice interaction. In a health-tracking context, this can cause unintended modification of a user's nutrition records, streaks, and derived coaching state from casual conversation or ambiguous text, reducing data integrity and user trust.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The onboarding flow instructs collection and transmission of sensitive health/profile data including sex, age, height, weight, activity level, and goals, but does not require any explicit privacy notice, consent, or user-facing explanation before sending it to the backend. In a nutrition and health-tracking skill, this creates a meaningful privacy risk because users may disclose regulated or highly sensitive personal data conversationally without understanding that it will be persisted or processed by an external API.

Natural-Language Policy Violations

High
Confidence
90% confidence
Finding
The skill explicitly directs the agent to set the user's language automatically based on platform-provided context and to do so without asking the user. This removes user choice and silently transfers inferred or contextual personal preference data into account settings, which is especially problematic during onboarding where users should understand and control profile initialization.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal