NutriGx Advisor

Generates a personalized nutrition report from consumer genetic data analyzing key SNPs to provide actionable dietary and supplementation guidance.

This skill appears to do what it says: local parsing of consumer genotype files and generation of a nutrition report. Before installing or running it, consider the following: - Sensitive data: the tool processes personal genetic files. Only run it on data you control and trust the machine to handle; do not upload those files to third parties unless you explicitly consent. - Provenance & outputs: the reproducibility bundle writes checksums and a provenance.json that includes the input filename into the output directory. If filenames are sensitive, either rename or remove them before sharing outputs. - External dependency: environment.yml includes a pip package (clawbio==0.1.0). If you recreate the conda/pip environment, review that package's source and trustworthiness before installing it. Running the included scripts without creating the conda env will use only the bundled code, but you still need the listed Python libraries installed locally. - Isolation: run the skill in an isolated environment (virtualenv / dedicated VM / container) if you have privacy or supply-chain concerns. - Source verification: registry metadata shows 'Source: unknown' and no homepage. If you require provenance, ask the publisher for a source repo or digital signatures before relying on this for clinical decisions. If you only need a quick, local test, use the provided synthetic patient file and review outputs before processing real genetic data.

Type: OpenClaw Skill Name: nutrigx-advisor Version: 0.2.0 The skill is classified as suspicious due to a shell injection vulnerability in the `repro_bundle.py` file. When generating the `commands.sh` script for reproducibility, command-line arguments are concatenated into a shell string without proper quoting or sanitization. If a user-provided argument (e.g., `--output`) contains shell metacharacters, executing the generated `commands.sh` could lead to arbitrary command execution. While this is a vulnerability in an output artifact intended for manual user execution, and not directly exploited by the OpenClaw agent, it represents a significant security flaw. Additionally, `parse_input.py` and `generate_report.py` handle user-provided file paths without explicit path traversal sanitization, posing a potential local file read/write vulnerability.