ClawHub
Back to skill
v1.0.0

make a recipe

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:25 AM.

Analysis

This is a simple Pomodoro timer skill with user-directed terminal commands and a small optional local log, though its display name is confusing.

GuidanceThis appears safe for a basic terminal Pomodoro timer. Before installing, note that the skill name does not match its purpose, the notification command is macOS-specific, and the optional log command writes session timestamps to ~/pomodoro.log.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityInfoConfidenceHighStatusNote
metadata
Name: make a recipe ... Description: Use this skill when a user wants to run timed focus sessions

The public name does not match the stated Pomodoro timer purpose, which could confuse users, although the description and SKILL.md content are consistent with a focus timer.

User impactA user might install it expecting a recipe-related skill, but the actual behavior shown is a Pomodoro timer.
RecommendationRename the skill to match its purpose, such as “pomodoro timer,” to avoid confusion.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
echo "🍅 Focus started at $(date +%H:%M)" && sleep 1500 && osascript -e 'display notification "Time for a break!" with title "Pomodoro"'

The skill tells the agent/user to run terminal commands. This is central to the stated terminal timer purpose and does not show destructive or hidden behavior.

User impactRunning the timer will occupy a terminal command for the timer duration and, on macOS, display a notification.
RecommendationOnly run the command when you actually want to start a timed session; adapt the notification command for non-macOS systems.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityInfoConfidenceHighStatusNote
SKILL.md
echo "$(date +%Y-%m-%d) $(date +%H:%M) - 25min focus" >> ~/pomodoro.log

The skill can append completed-session timestamps to a local log file. This is purpose-aligned but creates a small persistent activity record.

User impactA local file may record when focus sessions were completed.
RecommendationUse the logging command only if you are comfortable keeping this local activity history, and delete ~/pomodoro.log if you no longer want it.