Recipe to List
Turn recipes into a Todoist Shopping list. Extract ingredients from recipe photos (Gemini Flash vision) or recipe web pages (search + fetch), then compare against the existing Shopping project with conservative synonym/overlap rules, skip pantry staples (salt/pepper), and sum quantities when units match. Also saves each cooked recipe into the workspace cookbook (recipes/).
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 2k · 5 current installs · 5 all-time installs
by@Borahm
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (extract ingredients using Gemini and add to a Todoist Shopping project) aligns with the code: the Python script calls Google's generativelanguage API and intends to invoke the Todoist CLI. Required tokens (GEMINI/GOOGLE API key and TODOIST_API_TOKEN) are reasonable for the stated functionality. The script also saves recipes locally into recipes/, which fits the 'cookbook' feature described.
Instruction Scope
SKILL.md describes only using GEMINI and Todoist, plus optional web_search/fetch. The shell wrapper (scripts/recipe-to-list.sh) sources ~/.clawdbot/.env before running the script — this file is not mentioned in the README and may expose unrelated environment variables/credentials. The Python script makes outbound HTTP requests (generativelanguage.googleapis.com and likely arbitrary recipe web pages) and writes files under recipes/ — these behaviors are expected, but the undocumented sourcing of a home-directory .env expands scope without disclosure.
Install Mechanism
There is no install spec (instruction-only with bundled scripts), so nothing external is auto-downloaded or installed by the skill. That is lower risk, but the included Python script will perform network I/O at runtime.
Credentials
Requesting GEMINI/GOOGLE API key and TODOIST_API_TOKEN is proportionate. However, the shell wrapper sources ~/.clawdbot/.env (exports all variables found there) — this is not declared in SKILL.md and could cause unrelated secrets from the user's home directory to be read and used or leaked. Also the script may call external CLIs (todoist) via subprocess; confirm where tokens are used and that they are scoped appropriately.
Persistence & Privilege
The skill is not always-enabled and has normal invocation permissions. It writes recipe markdown into a local recipes/ directory (expected behavior) and does not claim to modify other skills or global agent settings.
What to consider before installing
This skill appears to do what it claims (use Gemini to parse photos and add items to Todoist), but there are two things you should verify before installing or running it:
1) Inspect ~/.clawdbot/.env and the wrapper script. The wrapper will source ~/.clawdbot/.env (exporting any variables in that file) before running the Python script; SKILL.md does not mention this. If that file contains unrelated secrets (AWS keys, SSH_AGENT, other service tokens), those could be read/used. Remove sensitive data from that file or edit the wrapper to avoid sourcing it.
2) Audit the Python script for subprocess/network behavior. Search the script for usages of subprocess/urllib or any hard-coded endpoints to confirm only the Google Generative Language API, recipe web pages, and the Todoist CLI are contacted. Run the tool with --dry-run first and/or in an isolated environment (container or throwaway VM). Prefer providing only the minimal API tokens (scoped keys) needed for Gemini and Todoist.
Additional safe steps: run python -m pip install in a virtualenv if needed, run the script with --dry-run and --no-save to confirm output, and review any 'todoist' CLI command invocations in the code to ensure they are constructed safely (avoid shell=True or unescaped user inputs). If you are not comfortable auditing the code, don't expose high-privilege credentials to it.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.1.3
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Create Shopping List (Gemini Flash + Todoist)
Target flow:
- Input is either a photo or a recipe web search
- Extract ingredients (Gemini Flash for photos; web_fetch text → Gemini for websites)
- Pull current Todoist Shopping list
- Compare using overlap + synonym mapping (kept conservative; only merge high-confidence equivalents like coriander↔cilantro, panko↔breadcrumbs)
- Update Shopping (default: add only missing items; skip salt/pepper)
Use the bundled script to handle the photo → ingredients → Shopping update part.
It also automatically saves a markdown entry into recipes/ (your cookbook knowledge base) and appends to recipes/index.md.
For recipe-name → web search, do it confirm-first using web_search + web_fetch, then feed the ingredients into the same update logic (and save the recipe).
Prereqs
- Env:
GEMINI_API_KEY(orGOOGLE_API_KEY) for Gemini - Env:
TODOIST_API_TOKENfor Todoist - Bin:
todoist(todoist-ts-cli)
Output formatting
- Items are reformatted to start with the ingredient name, followed by a parenthetical quantity.
- The Shopping list is kept flat (no Todoist sections/groups).
Run
python3 skills/recipe-to-list/scripts/recipe_to_list.py \
--image /path/to/photo.jpg \
--title "<optional title>" \
--source "photo:/path/to/photo.jpg"
Optional flags
--model gemini-2.0-flash(default; falls back automatically) or any compatible Gemini vision model--dry-runto print extracted items without creating tasks--prefix "[Recipe] "to prefix each created task--no-overlap-checkto skip checking your existing Shopping list--include-pantryto include salt/pepper--no-saveto skip saving intorecipes/
What to send to the model
The script prompts Gemini to return strict JSON:
{
"items": ["2 large globe eggplants", "kosher salt", "..."],
"notes": "optional"
}
If parsing fails, rerun with a clearer crop (ingredients list only) or provide a manual list.
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…