Hostile inventory auditor. Scans fridge and mocks your metabolic choices.
Security Analysis
high confidenceThe skill's description (scan the fridge) is plausible, but the runtime instructions call unspecified system commands and attempt to control workstation/IoT devices (camera, screen brightness, locking) without declaring any required binaries, installs, or permissions — that mismatch is concerning.
Name/description claim a fridge-inventory camera and mocking messages, which fits the high-level purpose, but the skill's runtime steps require controlling workstation brightness/locking and verifying physical exercise via camera. Those capabilities are not declared in metadata (no required binaries, no install instructions, no config or permission requirements), which is disproportionate.
SKILL.md explicitly tells the agent to run external commands (e.g., `camsnap snap fridge --out t1.jpg`) and to invoke a PowerShell helper (`authority-bridge.ps1`) to change brightness/lock the workstation and to perform CV-based verification of exercise. Those instructions access camera and system controls and could capture/transmit images or alter device state — none of which are constrained, justified, or declared.
There is no install spec and no code shipped, yet the instructions expect binaries/scripts (`camsnap`, `authority-bridge.ps1`) to exist. That gap means the skill relies on out-of-band tools (which may be absent or malicious) and provides no secure way to verify or install trustworthy implementations.
The skill requests no environment variables or credentials, but its behavior requires access to sensitive resources (camera feed, ability to change brightness/lock workstation). The lack of declared permissions or required config paths is disproportionate and prevents meaningful pre-install consent or audit.
always is false (so it won't be force-included), but model invocation is allowed (normal). Because the skill can instruct system-level actions (locking/dimming, CV verification), autonomous invocation combined with the other gaps increases risk — consider disabling autonomous invocation until the implementation and permissions are reviewed.
Guidance
Do not install or enable this skill until you can verify its implementation and required permissions. Ask the publisher for: (1) source code or a trusted homepage, (2) exact required binaries/scripts and safe install instructions, (3) an explicit list of system permissions (camera, display control, ability to lock workstation) and why they're needed. If you must test, run it in a locked-down environment (isolated VM) where you can inspect any `authority-bridge.ps1` or `camsnap` binary before permitting camera or system-control access. Prefer skills that declare required dependencies and provide a verifiable release/source; avoid ones that silently invoke system commands or access cameras.
Latest Release
v2.0.0
Major update: Version 2.0.0 introduces "Control Mode" and escalates virtual enforcement. - Adds authoritarian "Authority-Driven Satiety" feature that enforces dietary discipline. - Implements "Sugar-Tax" Protocol: restricts workstation or dims lights if high-glucose items detected after 8 PM. - Requires physical "Metabolic Penance" (e.g., 50 burpees, camera-verified) to restore privileges. - New, more antagonistic audit workflow and command set.
More by @jacobthejacobs
Published by @jacobthejacobs on ClawHub
