ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

nutrition-and-health

v1.0.0

你的专属健康顾问 - 懂你,陪伴你,全方位照顾你的健康。 触发场景(中文): - 健康饮食、健康生活、健康建议 - 营养搭配、营养均衡、营养建议 - 养生食谱、养生建议、日常养生 - 怎么调理身体、调理建议 - 减脂期怎么吃、减肥食谱、瘦身 - 健身怎么吃、增肌饮食、塑形 - 胃不好怎么吃、养胃食谱 - 日常保健...

0· 32·0 current·0 all-time
by@zhuqingsonga
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to provide personalized recommendations and lists multiple helper scripts (recommend_food.py, recommend_drink.py, nutrition_tips.py, health_advice.py) in SKILL.md/README, but only one script (get_to_know_you.py) is actually included. That inconsistency means the shipped package may not implement claimed capabilities or may rely on missing code that could be supplied later from an external source.
Instruction Scope
Runtime instructions ask the agent to collect sensitive personal health data (age, weight, health conditions, habits) and promise local-only storage. The SKILL.md does not direct reading unrelated system files or environment variables, but it also does not include code showing how/where the data is saved locally — the data-handling implementation is therefore unclear.
Install Mechanism
There is no install spec (instruction-only + a small local Python helper), so nothing is downloaded or executed automatically beyond included files — low install risk. No external URLs, package managers, or archive extraction are used.
Credentials
The skill requests no environment variables, binaries, or credentials. The lack of requests for external secrets is proportionate to the described offline/local functionality.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The SKILL.md promises local storage of personal profile, but there is no visible code implementing persistent storage; verify where and how profile data is stored before trusting sensitive information to the skill.
What to consider before installing
This skill looks like a straightforward local nutrition helper, but there are important mismatches you should resolve before installing or entering personal health data: 1) SKILL.md/README reference multiple recommendation scripts (recommend_food.py, recommend_drink.py, nutrition_tips.py, health_advice.py) that are not included — ask the author for the missing files or check the referenced GitHub repo. 2) The skill promises all data is stored locally, but there is no visible code that writes or reads a persistent profile — request or inspect the storage implementation and confirm the exact local file path and format. 3) Because you will be asked for sensitive health data, only proceed if you can inspect the full code (especially any code that sends network requests) or run it in a sandboxed environment. 4) If the author points to the GitHub repo in _meta.json, review that repository to ensure files are complete and unchanged. If you cannot verify these points, treat the skill as untrusted and do not enter detailed health records.

Like a lobster shell, security has layers — review code before you run it.

latestvk97exqa11m2rerd6d4vt5assp9843zbw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments