Zapier Recipe
PassAudited by ClawScan on May 1, 2026.
Overview
This appears low risk with no credential or network access, but its documentation and helper scripts are inconsistent and one script keeps a local command history.
This skill is safe enough to treat as benign for recipe guidance, but review the included shell scripts before running them. Be aware that one script is unrelated to Zapier recipes and can write a local command history.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may not know whether the included scripts are intended to be installed or invoked, even though no dangerous behavior is shown.
The registry describes the skill as instruction-only with no install requirements, but executable shell scripts are included, creating ambiguity about provenance and how the CLI is meant to be used.
No install spec — this is an instruction-only skill. Code file presence: 2 code file(s): scripts/script.sh ... scripts/zapier.sh
Treat the scripts as optional helpers unless the publisher documents the install path; review them before running.
The mismatch could confuse users or agents about what the skill actually does, though the commands shown mostly print messages and log local history.
This included helper describes a developer workflow tool with commands that do not match the Zapier/Make recipe purpose or the SKILL.md command list.
# zapier-recipe - Developer workflow automation tool ... Commands: init ... check ... build ... test ... deploy ... clean
Use only the recipe-related functionality unless the publisher clarifies why the developer workflow script is included.
If a user passes sensitive text as command arguments, it could be stored locally in the history log.
The helper creates a local data directory and records command names and arguments in a persistent history log.
DATA_DIR="${ZAPIER_RECIPE_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/zapier-recipe}" ... _log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }Avoid entering secrets or private data as arguments, and delete the local zapier-recipe data directory if unwanted.