MenuVision
PassAudited by ClawScan on May 1, 2026.
Overview
MenuVision appears purpose-aligned, but it uses a Google API key, sends menu inputs to Gemini, generates local Python scripts, and optionally publishes menus online.
This skill looks reasonable for its purpose. Before installing, be comfortable using a Google API key with Gemini, sending menu materials to Gemini, reviewing generated Python scripts before running them, and approving any GitHub Pages publishing step only after checking the output and target site.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured Google API key, which may incur usage costs or access the associated Gemini account quota.
The skill needs a Google API key to call Gemini services. This is expected for the stated Gemini Vision and image-generation purpose, but it is still credentialed access.
Required env vars: GOOGLE_API_KEY; Primary credential: GOOGLE_API_KEY
Use a dedicated or restricted Google API key where possible, monitor usage, and avoid sharing the key in prompts or generated files.
Restaurant URLs, PDFs, photos, and extracted menu details may leave the local environment for processing by Gemini.
The documented workflow sends menu source material and derived menu data to Gemini services. This is purpose-aligned, but it is an external provider data flow.
Extract: URL/PDF/photo → menu_data.json (Gemini Vision); Generate: menu_data.json → images/*.jpg (Gemini Image)
Only use inputs you are comfortable sending to Gemini, and review Google/Gemini data handling policies for sensitive or unpublished menu materials.
The agent may write and run local scripts that fetch inputs, call Gemini, generate images, and build files.
The skill is instruction-only and directs the agent to create local Python scripts for the workflow. This is central to the skill's design, but generated code should be reviewed before running.
The AI agent creates these scripts: extract_menu.py, generate_images.py, build_menu.py, publish_menu.py
Inspect generated scripts before execution, run them in a project directory, and avoid granting broader local or account access than needed.
If used, the publish step could post or update public GitHub Pages content.
The optional publishing step could make generated menu content public. The artifact presents it as optional and purpose-aligned, not automatic.
publish_menu.py | (Optional) Publish HTML to GitHub Pages
Require explicit user confirmation before publishing, review the generated HTML and target repository, and keep publishing credentials separate from the Google API key.