← 返回 Skills 市场
⚠️ IMPORTANT: How
Fatsecret
作者
Federico Liva
· GitHub ↗
· v1.1.0
820
总下载
0
收藏
3
当前安装
7
版本数
在 OpenClaw 中安装
/install fatsecret
功能描述
FatSecret nutrition API integration for food search, nutritional lookup, barcode scanning, recipe search, and food diary logging. Use when user needs to find...
使用说明 (SKILL.md)
FatSecret Nutrition API
Complete integration with FatSecret for food data lookup AND diary logging.
⚠️ Authentication Methods
This skill supports two authentication methods for different use cases:
| Method | Use Case | User Login Required | Capabilities |
|---|---|---|---|
| OAuth2 (client_credentials) | Read-only access | ❌ No | Food search, barcode lookup, recipes |
| OAuth1 (3-legged) | Full access | ✅ Yes (one-time PIN) | All above + diary logging |
Which to use?
- Just searching foods? → OAuth2 (simpler, no user login)
- Logging to user's diary? → OAuth1 (requires user authorization)
🚀 Quick Start
1. Get API Credentials
- Go to https://platform.fatsecret.com
- Register an application
- Copy your Consumer Key and Consumer Secret
2. Save Credentials
mkdir -p ~/.config/fatsecret
cat > ~/.config/fatsecret/config.json \x3C\x3C EOF
{
"consumer_key": "YOUR_CONSUMER_KEY",
"consumer_secret": "YOUR_CONSUMER_SECRET"
}
EOF
3. Install Dependencies
cd /path/to/fatsecret-skill
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
4a. For Read-Only (OAuth2) - No user login needed
# Search works immediately
./scripts/fatsecret-cli.sh search "chicken breast"
4b. For Diary Logging (OAuth1) - One-time user authorization
# Run authentication flow
./scripts/fatsecret-cli.sh auth
# Follow prompts:
# 1. Visit the authorization URL
# 2. Log in with FatSecret account
# 3. Authorize the app
# 4. Enter the PIN shown
# Now you can log foods
./scripts/fatsecret-cli.sh quick egg 3 Breakfast
📋 CLI Commands
| Command | Auth Required | Description |
|---|---|---|
search \x3Cquery> |
OAuth2 | Search foods |
barcode \x3Ccode> |
OAuth2 | Barcode lookup |
recipes \x3Cquery> |
OAuth2 | Search recipes |
auth |
- | Run OAuth1 authentication |
log |
OAuth1 | Add food to diary (interactive) |
quick \x3Cfood> [qty] [meal] |
OAuth1 | Quick log to diary |
🤖 Agent Integration
For OpenClaw Agents
from scripts.fatsecret_agent_helper import (
get_authentication_flow,
complete_authentication_flow,
save_user_credentials
)
# Check authentication status
state = get_authentication_flow()
if state["status"] == "need_credentials":
# Ask user for Consumer Key/Secret
# Save with: save_user_credentials(key, secret)
pass
elif state["status"] == "need_authorization":
# Show authorization URL to user
url = state["authorization_url"]
# User visits URL, authorizes, gets PIN
# Complete with: complete_authentication_flow(pin)
pass
elif state["status"] == "already_authenticated":
# Ready to use diary functions
from scripts.fatsecret_diary_simple import quick_log
quick_log("egg", quantity=3, meal="Breakfast")
Agent Helper Functions
| Function | Description |
|---|---|
get_authentication_flow() |
Check status, returns next step |
save_user_credentials(key, secret) |
Save API credentials |
complete_authentication_flow(pin) |
Complete OAuth1 with PIN |
quick_log(food, qty, meal) |
Log food to diary |
log_food(food_id, serving_id, grams_or_ml, meal, name) |
Precise logging |
search_food(query, tokens) |
Search foods |
⚠️ IMPORTANT: How grams_or_ml Works
The grams_or_ml parameter (called number_of_units in FatSecret API) is the ACTUAL amount, not a multiplier!
# ❌ WRONG - This logs only 1.56 grams (7 kcal)!
log_food(food_id, serving_100g_id, 1.56, "Breakfast", "Cookies")
# ✅ CORRECT - This logs 156 grams (741 kcal)
log_food(food_id, serving_100g_id, 156, "Breakfast", "Cookies")
Examples:
| What you want | Serving type | grams_or_ml value |
|---|---|---|
| 156g of cookies | "100g" serving | 156 |
| 200ml of milk | "100ml" serving | 200 |
| 3 eggs | "1 large egg" serving | 3 |
| 2 slices of bread | "1 slice" serving | 2 |
🔐 Credential Storage
All credentials and tokens are stored locally:
| File | Contents | Created By |
|---|---|---|
$CONFIG_DIR/config.json |
Consumer Key/Secret | User (manual) |
$CONFIG_DIR/oauth1_access_tokens.json |
OAuth1 access tokens | auth command |
$CONFIG_DIR/token.json |
OAuth2 token (auto-refreshed) | OAuth2 client |
Where $CONFIG_DIR is ~/.config/fatsecret by default, or the value of FATSECRET_CONFIG_DIR if set.
To revoke access: Delete the config folder and revoke app access from your FatSecret account settings.
🐳 Container/Docker Environments
In containerized environments (Docker, OpenClaw sandbox), ~/.config/ may not persist across restarts. Use FATSECRET_CONFIG_DIR to point to a persistent volume:
# Set env var to persistent directory
export FATSECRET_CONFIG_DIR="/home/node/clawd/config/fatsecret"
# Or prefix commands
FATSECRET_CONFIG_DIR="/persistent/path" ./scripts/fatsecret-cli.sh auth
OpenClaw example - add to your shell init or AGENTS.md:
export FATSECRET_CONFIG_DIR="/home/node/clawd/config/fatsecret"
🌐 Proxy Configuration (Optional)
Some FatSecret API plans require IP whitelisting. If needed, set a proxy:
# Environment variable
export FATSECRET_PROXY="socks5://127.0.0.1:1080"
# Or in config.json
{
"consumer_key": "...",
"consumer_secret": "...",
"proxy": "socks5://127.0.0.1:1080"
}
If you don't need a proxy: The skill works without it. Proxy is only required if FatSecret blocks your IP.
🌍 Open Food Facts (Alternative)
For European products, use the free Open Food Facts API (no authentication):
from scripts.openfoodfacts_client import OpenFoodFactsClient
off = OpenFoodFactsClient(country="it")
products = off.search("barilla")
product = off.get_product("8076800105735") # Barcode
📁 File Structure
fatsecret/
├── SKILL.md # This documentation
├── README.md # GitHub/ClawHub readme
├── requirements.txt # Python: requests, requests[socks]
├── scripts/
│ ├── fatsecret-cli.sh # Main CLI (bash wrapper)
│ ├── fatsecret_auth.py # OAuth1 3-legged authentication
│ ├── fatsecret_agent_helper.py # Helper functions for agents
│ ├── fatsecret_diary_simple.py # Diary logging (OAuth1)
│ ├── fatsecret_client.py # OAuth2 client (read-only)
│ └── openfoodfacts_client.py # Open Food Facts client
└── examples/
└── agent_usage_example.py # Agent integration example
⚠️ Security Notes
- Credentials are stored locally in
~/.config/fatsecret/ - OAuth1 tokens don't expire unless you revoke them
- OAuth1 grants full access to your FatSecret diary (read + write)
- To uninstall safely: Delete
~/.config/fatsecret/and revoke app from FatSecret account
🔗 References
- FatSecret API: https://platform.fatsecret.com/docs
- OAuth1 Guide: https://platform.fatsecret.com/docs/guides/authentication/oauth1/three-legged
- Open Food Facts: https://wiki.openfoodfacts.org/API
Changelog
v1.0.1 (2026-02-20)
- Fixed OAuth2 client - now uses OAuth1 for all operations (food search + diary)
- Unified authentication: single OAuth1 flow works for both read and write operations
- Removed broken OAuth2 implementation
安全使用建议
This skill is a plausible FatSecret client, but the package metadata and the runtime instructions disagree about credential handling — SKILL.md and the Python scripts expect you to provide a FatSecret Consumer Key and Secret and will save them (and OAuth tokens) to a local config directory (default ~/.config/fatsecret). Before installing: 1) Verify you trust the author and the repository source (homepage is missing). 2) Inspect the included scripts (you have them) to confirm endpoints (authentication.fatsecret.com and platform.fatsecret.com are correct). 3) Run the skill inside an isolated environment or container (create the venv as instructed). 4) When you provide keys, prefer using a dedicated FATSECRET_CONFIG_DIR mounted to a restricted persistent volume, and set file permissions (chmod 600) for config.json and token files. 5) Do not set FATSECRET_PROXY unless you control/trust the proxy (a proxy could observe credentials and traffic). 6) Ask the publisher to update registry metadata to list required credentials/env vars and clarify storage behavior. If you are uncomfortable with plaintext token storage, consider wrapping the skill with a secrets manager or avoid diary-logging features that require OAuth1 tokens.
功能分析
Type: OpenClaw Skill
Name: fatsecret
Version: 1.1.0
The skill is classified as suspicious due to a shell injection vulnerability found in `scripts/fatsecret-cli.sh`. The script constructs Python commands by directly embedding user-provided arguments (e.g., search queries) into a string executed via `python3 -c`. This allows for a Python `SyntaxError` if the input contains unescaped single quotes, leading to a denial of service for the CLI script. While not immediately indicative of intentional malice, this is a clear input sanitization flaw. Other functionalities, such as the use of OAuth1 for full diary access and optional proxy configuration, are transparently documented and align with the skill's stated purpose.
能力评估
Purpose & Capability
Name/description, scripts, and code files align with a FatSecret integration (search, barcode, recipes, diary logging). The code uses FatSecret and OpenFoodFacts endpoints only, which fits the stated purpose. However, the registry metadata claims no required credentials or env vars while SKILL.md and the included scripts clearly require a FatSecret consumer key/secret (stored in a config file) and optionally accept FATSECRET_PROXY and FATSECRET_CONFIG_DIR — this metadata omission is an inconsistency.
Instruction Scope
SKILL.md and the scripts confine actions to the FatSecret API flow: creating a local config directory, saving consumer key/secret to a local config.json, running OAuth1/OAuth2 flows against FatSecret endpoints, and storing tokens in ~/.config/fatsecret (or FATSECRET_CONFIG_DIR). The agent helper and CLI wrap the same flows. The example uses subprocess.run to call the included scripts, which is expected for a local CLI-driven skill. There are no instructions to read unrelated system files or exfiltrate data to third-party endpoints beyond FatSecret/OpenFoodFacts.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the package contains Python code and a requirements.txt; SKILL.md instructs creating a venv and running pip install -r requirements.txt — a reasonable approach. No downloads from arbitrary URLs or archive extraction are used. The mismatch between 'no install spec' and the included code means users might overlook the need to install dependencies; that's a usability/integrity issue rather than a direct security exploit, but it is worth noting.
Credentials
All credentials requested by the code (FatSecret consumer key/secret and tokens) are appropriate for the declared functionality and no unrelated secrets are requested. However, the registry metadata lists no required env vars or primary credential while SKILL.md declares FATSECRET_CONSUMER_KEY and FATSECRET_CONSUMER_SECRET (and optional FATSECRET_PROXY, FATSECRET_CONFIG_DIR). The code actually prefers storing creds in a config.json in ~/.config/fatsecret. This mismatch between manifest and runtime is a proportionality/clarity problem and could mislead users into installing without realizing they'll need to provide sensitive keys or where they will be stored.
Persistence & Privilege
The skill does not request forced/always-on installation. It stores credentials and tokens locally under a dedicated config directory (default ~/.config/fatsecret or FATSECRET_CONFIG_DIR) and does not modify other skills or system-wide agent settings. Local persistence of tokens is necessary for diary logging; however, storing secrets in plain JSON means users should ensure appropriate file permissions and consider using a protected volume in containers.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install fatsecret - 安装完成后,直接呼叫该 Skill 的名称或使用
/fatsecret触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
OAuth fix: unified OAuth1 authentication for all operations. Removed broken OAuth2 client. All features now working via single OAuth1 flow.
v1.0.5
Added FATSECRET_CONFIG_DIR env var for persistent storage in containers/Docker
v1.0.4
CRITICAL FIX: Clarified grams_or_ml parameter - it's the ACTUAL amount, not a multiplier. Added warning for suspiciously low values. Better documentation with examples.
v1.0.3
Fixed proxy default: now None instead of hardcoded localhost. Proxy is loaded from FATSECRET_PROXY env or config file only when explicitly set.
v1.0.2
Cleaned documentation, removed internal development notes
v1.0.1
Security fixes: clarified OAuth1 vs OAuth2 flows, removed unused files, improved documentation, made proxy optional
v1.0.0
FatSecret v1.0.0
- Initial release with complete FatSecret nutrition API integration: food search, nutrition lookup, barcode scanning, recipe search, and food diary logging.
- Supports both FatSecret (US, requires API key and OAuth1) and Open Food Facts (EU/Italy, read-only, no auth).
- Automated OAuth1 authentication flow for users with persistent token storage.
- Command line interface (CLI) for quick search, logging, and barcode/recipe lookups.
- Python API for agents with helper functions for authentication and diary logging.
元数据
常见问题
Fatsecret 是什么?
FatSecret nutrition API integration for food search, nutritional lookup, barcode scanning, recipe search, and food diary logging. Use when user needs to find... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 820 次。
如何安装 Fatsecret?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install fatsecret」即可一键安装,无需额外配置。
Fatsecret 是免费的吗?
是的,Fatsecret 完全免费(开源免费),可自由下载、安装和使用。
Fatsecret 支持哪些平台?
Fatsecret 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Fatsecret?
由 Federico Liva(@f-liva)开发并维护,当前版本 v1.1.0。
推荐 Skills