Recipe to List

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it handles credentials and account-changing Todoist actions broadly enough that users should review it before installing.

Install only if you are comfortable sending recipe photos or text to Gemini and letting the skill create or update tasks in your Todoist Shopping project. Start with --dry-run, use --no-save for private recipes, crop photos to the ingredient list, and avoid the shell wrapper unless ~/.clawdbot/.env contains only the Gemini and Todoist credentials needed for this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Tainted flow: 'req' from os.environ.get (line 528, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: method="POST", ) try: with urllib.request.urlopen(req, timeout=timeout) as resp: raw = resp.read().decode("utf-8") break except urllib.error.HTTPError as e:
Confidence: 98% confidence
Finding: with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.environ.get (line 528, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: method="POST", ) try: with urllib.request.urlopen(req, timeout=timeout) as resp: raw = resp.read().decode("utf-8") break except urllib.error.HTTPError as e:
Confidence: 97% confidence
Finding: with urllib.request.urlopen(req, timeout=timeout) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill advertises and relies on sensitive capabilities including environment-variable access, file read/write, network access, and shell execution, but does not declare permissions. This weakens user consent and review because the skill can reach external APIs, modify local workspace files, and invoke binaries without an explicit capability disclosure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 80% confidence
Finding: The documented behavior does not fully match the described functionality: it claims web-page extraction support that is not actually implemented and omits additional normalization/purchase-conversion logic. Behavior mismatches are dangerous because users may make trust decisions based on incomplete or inaccurate descriptions, especially when the skill can create Todoist tasks and alter saved recipe records.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The wrapper script automatically sources every variable from ~/.clawdbot/.env and exports them into the child process environment, even though the script only appears to need a limited set of tokens for recipe processing. This broad credential loading increases exposure of unrelated secrets to the Python script and any downstream libraries, creating unnecessary credential access and possible leakage if the Python code, dependencies, or logs are compromised.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill states that it saves files locally, but it does not clearly warn that recipe images or page-derived content are sent to external services such as Gemini and Todoist. This is a privacy and data-handling issue because users may provide proprietary, personal, or copyrighted recipe content without realizing it leaves the local environment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill discusses updating the Shopping list, but it does not present a clear, prominent warning that running it will create tasks in the user's Todoist project by default. Hidden or understated side effects are risky because users may unintentionally modify production task data rather than merely preview extracted ingredients.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script silently loads local environment tokens from ~/.clawdbot/.env without notifying the user, which means sensitive credentials are accessed as a side effect of running a seemingly simple image-processing command. In a skill that processes user-supplied recipe images, this undisclosed secret loading expands trust boundaries and can expose credentials to code paths unrelated to the user's expectation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill uploads recipe photo contents to a third-party API without an in-context warning at the action point, which materially affects user privacy. In this skill, the image may contain more than ingredients—handwritten notes, personal surroundings, or other sensitive visual data—so the disclosure boundary is significant.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal