Mealie Recipe Manager

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Mealie API client, but it can use your Mealie token to change or delete recipes, shopping-list items, and meal plans when those commands are run.

Install this only for a Mealie instance you trust. Store the token in the documented env file, use HTTPS where possible, use the least-privileged Mealie token available, and review agent requests before allowing delete or edit commands because those operations change remote Mealie data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents destructive operations such as `delete-recipe`, `delete-item`, and `delete-meal` without any warning, confirmation prompt guidance, or emphasis that these actions are irreversible. In an agentic context, this increases the chance of accidental data loss because users or higher-level agents may invoke these commands without understanding their consequences.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill asks users to configure an API token and connect to a self-hosted remote service, but it does not clearly state that commands will transmit recipe, shopping list, and meal-plan data to that server using the supplied credentials. This omission can lead to uninformed use of sensitive tokens and remote data operations, though the risk is limited by the expected nature of an API client skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal