Recipe to List
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent recipe-to-Todoist helper, but it uses Gemini and Todoist credentials, sends recipe inputs to Gemini, and saves recipe files locally.
Before installing, confirm you are comfortable granting Gemini and Todoist access for this workflow. Start with --dry-run, crop recipe photos to avoid private content, review ~/.clawdbot/.env if using the shell wrapper, and use --no-save for recipes you do not want stored in the workspace.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the user's Gemini key and Todoist token to process recipe inputs and create shopping-list tasks.
The skill requires API credentials and a Todoist CLI capable of accessing the user's Todoist account. This is expected for the stated integration, but it is sensitive authority.
- Env: `GEMINI_API_KEY` (or `GOOGLE_API_KEY`) for Gemini - Env: `TODOIST_API_TOKEN` for Todoist - Bin: `todoist` (todoist-ts-cli)
Use a Todoist token/account you trust for this purpose, verify the Shopping project target, and revoke or rotate tokens if you stop using the skill.
Secrets stored in ~/.clawdbot/.env become environment variables for the script process.
The wrapper sources a local .env file wholesale if present, which may load secrets beyond the two credentials the skill needs. The visible artifacts do not show exfiltration, but users should be aware of the credential-loading behavior.
[[ -f ~/.clawdbot/.env ]] && source ~/.clawdbot/.env
Keep only necessary variables in that file or run the Python script with explicitly scoped GEMINI_API_KEY/GOOGLE_API_KEY and TODOIST_API_TOKEN values.
Running the normal workflow can create new Todoist tasks without using dry-run first.
The default behavior mutates Todoist by adding missing shopping-list tasks. This is purpose-aligned and scoped to Shopping, but it is still an account-changing action.
Update **Shopping** (default: add only missing items; skip salt/pepper)
Use --dry-run when testing, review extracted ingredients before accepting updates, and keep the project target limited to Shopping.
Recipe photos, and potentially any visible private information in them, are sent to Google Gemini for processing.
Recipe photo bytes are base64-encoded and sent to the Gemini Generative Language API. This is expected for vision extraction and disclosed by the skill, but it is an external provider data flow.
{"inline_data": {"mime_type": mime, "data": b64}}Only submit images you are comfortable sending to Gemini, and crop photos to the ingredient list when possible.
Recipe information remains in the workspace after the task is complete.
The skill creates persistent local recipe notes that may later be reused as a cookbook knowledge base. This persistence is disclosed and can be disabled, but users should know it happens by default.
It also **automatically saves** a markdown entry into `recipes/` (your cookbook knowledge base) and appends to `recipes/index.md`.
Use --no-save for one-off or private recipes, and periodically review recipes/ and recipes/index.md for unwanted entries.
A compromised or unexpected local todoist CLI could affect what happens when the skill updates tasks.
The skill depends on an externally installed Todoist CLI, but the registry metadata and install spec do not pin or install a specific version. This is common for instruction-only integrations, but provenance depends on the user's local installation.
- Bin: `todoist` (todoist-ts-cli)
Install the Todoist CLI from a trusted source and keep it updated.