Nutrition tracking
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-nutrition Version: 1.0.0 The OpenClaw AgentSkills skill bundle for 'openclaw-nutrition' is benign. All instructions for the AI agent, including persona, API usage, and data handling, are clearly aligned with its stated purpose as an AI-powered nutrition coach. The skill interacts exclusively with the `https://haver.dev` backend, sending necessary user data (like API keys and health metrics) to this service. There is no evidence of unauthorized data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts designed to subvert the agent for harmful purposes. The documentation is transparent about data storage and API key handling.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Food, weight, or profile entries may be added or changed in the Haver account during normal use.
The agent is instructed to make API calls that create or update nutrition records based on conversational interpretation. This matches the nutrition-tracking purpose, but it can mutate user records if the agent misunderstands ambiguous text.
Rule of thumb: If they're telling you what they ate, log it. If they're asking a question, chat or answer directly. If it's both, do both.
Use clear wording when logging meals or weight, and ask the agent to show or correct entries if something was interpreted incorrectly.
Anyone with the saved Haver API key could access or modify the user's Haver nutrition data through the API.
The skill relies on a bearer API key that gives the agent access to the user's Haver account data and actions. This is expected for the integration and is disclosed, but the key should be treated as sensitive.
Each user has a personal API key (prefixed `hv_`). Include it in every request... Registration returns a fresh API key. Save it immediately as persistent memory.
Only use this with a trusted agent environment, and rotate the key by re-registering if you suspect it was exposed.
Diet preferences, health goals, and conversation-derived details may persist and be reused in later sessions.
The service keeps persistent user memory from past conversations. For a nutrition coach this is purpose-aligned, but it may include sensitive health, preference, or lifestyle details that can influence future coaching.
GET {HAVER_API_URL}/api/me/memory... What Haver remembers about the user from past conversations. Useful for personalizing coaching.Avoid sharing information you do not want retained, and check Haver's privacy or deletion controls before using it for sensitive health details.
Food photos or image URLs supplied for logging or coaching may be transmitted to Haver.
The skill can send food text and optional images to Haver API endpoints. This is disclosed and fits the nutrition-tracking purpose, but it is still an external provider data flow involving potentially private images and health context.
Optional: include `"images": ["<base64 or URL>"]` for food photos.
Only upload photos you are comfortable sharing with Haver, and avoid including unrelated private information in images.