by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill is a plausible FatSecret client, but the package metadata and the runtime instructions disagree about credential handling — SKILL.md and the Python scripts expect you to provide a FatSecret Consumer Key and Secret and will save them (and OAuth tokens) to a local config directory (default ~/.config/fatsecret). Before installing: 1) Verify you trust the author and the repository source (homepage is missing). 2) Inspect the included scripts (you have them) to confirm endpoints (authentic...详细分析 ▾
ℹ 用途与能力
Name/description, scripts, and code files align with a FatSecret integration (search, barcode, recipes, diary logging). The code uses FatSecret and OpenFoodFacts endpoints only, which fits the stated purpose. However, the registry metadata claims no required credentials or env vars while SKILL.md and the included scripts clearly require a FatSecret consumer key/secret (stored in a config file) and optionally accept FATSECRET_PROXY and FATSECRET_CONFIG_DIR — this metadata omission is an inconsistency.
✓ 指令范围
SKILL.md and the scripts confine actions to the FatSecret API flow: creating a local config directory, saving consumer key/secret to a local config.json, running OAuth1/OAuth2 flows against FatSecret endpoints, and storing tokens in ~/.config/fatsecret (or FATSECRET_CONFIG_DIR). The agent helper and CLI wrap the same flows. The example uses subprocess.run to call the included scripts, which is expected for a local CLI-driven skill. There are no instructions to read unrelated system files or exfiltrate data to third-party endpoints beyond FatSecret/OpenFoodFacts.
ℹ 安装机制
There is no formal install spec in the registry (instruction-only), but the package contains Python code and a requirements.txt; SKILL.md instructs creating a venv and running pip install -r requirements.txt — a reasonable approach. No downloads from arbitrary URLs or archive extraction are used. The mismatch between 'no install spec' and the included code means users might overlook the need to install dependencies; that's a usability/integrity issue rather than a direct security exploit, but it is worth noting.
⚠ 凭证需求
All credentials requested by the code (FatSecret consumer key/secret and tokens) are appropriate for the declared functionality and no unrelated secrets are requested. However, the registry metadata lists no required env vars or primary credential while SKILL.md declares FATSECRET_CONSUMER_KEY and FATSECRET_CONSUMER_SECRET (and optional FATSECRET_PROXY, FATSECRET_CONFIG_DIR). The code actually prefers storing creds in a config.json in ~/.config/fatsecret. This mismatch between manifest and runtime is a proportionality/clarity problem and could mislead users into installing without realizing they'll need to provide sensitive keys or where they will be stored.
✓ 持久化与权限
The skill does not request forced/always-on installation. It stores credentials and tokens locally under a dedicated config directory (default ~/.config/fatsecret or FATSECRET_CONFIG_DIR) and does not modify other skills or system-wide agent settings. Local persistence of tokens is necessary for diary logging; however, storing secrets in plain JSON means users should ensure appropriate file permissions and consider using a protected volume in containers.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/2/19
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install fatsecret
镜像加速npx clawhub@latest install fatsecret --registry https://cn.longxiaskill.com