ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FoodLens

v1.0.0

AI-powered meal photo recognition and nutrition tracking. Use when a user sends a food/meal photo with keywords like breakfast, lunch, dinner, snack, or "wha...

0· 58·0 current·0 all-time
byKarl Yang@yxjsxy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (meal-photo recognition, nutrition tracking) match the actions described: saving photos, running analyze_photo.py, consulting a local nutrition_db, appending JSON logs, and producing summaries. No unrelated credentials, binaries, or services are requested.
Instruction Scope
Instructions explicitly instruct the agent to save photos, activate a virtualenv, run local Python scripts (analyze_photo.py) and import from a local module (foodlens), then write JSON logs under a user directory. This is expected for a local tracker, but it means the skill will execute arbitrary Python code present in $FOODLENS_DIR and will read/write files there. Also the fallback uses an 'image' tool / GPT-4o Vision which will send image data to external model providers.
Install Mechanism
No install spec or third-party downloads are present (instruction-only). That reduces supply-chain risk, but it requires the user to supply the code, venv, and dependencies. The skill assumes local project files exist; nothing is downloaded automatically.
Credentials
The skill declares no required environment variables, credentials, or config paths beyond optional defaults for $FOODLENS_DIR and venv. The only notable external interaction is use of LLM vision/image tools (model/provider usage), which is consistent with image analysis but has privacy implications.
Persistence & Privilege
always:false (no forced global inclusion). The skill writes persistent data (data/YYYY-MM-DD.json) and expects a venv and local files under the specified workspace directory. Writing user-local logs is coherent for the purpose but grants the skill filesystem persistence within that directory.
Assessment
This skill appears to do what it says, but it runs local Python code and sends images to LLM vision tools. Before installing or invoking: (1) Inspect the contents of $FOODLENS_DIR (especially analyze_photo.py, nutrition_db.py, and any activation scripts) to ensure they are safe and from a trusted source; (2) Run the code in an isolated environment (dedicated venv or container); (3) Be aware that images will be sent to external model providers (privacy risk) — avoid sending sensitive photos; (4) Back up any data you care about before letting the skill write to data/YYYY-MM-DD.json; (5) If you don’t already have the project code, obtain it from a trustworthy source rather than relying on this instruction-only skill to function automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739pz3m1g437f2h9zvqb9wq983k2m3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments