Recipe Finder
v2.0.0推荐适合现有食材的菜谱,提供详细做法、烹饪技巧及营养信息,支持随机和个性化推荐。
⭐ 0· 62·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (recipe recommendations, nutrition, favorites) matches the code and instructions. The code implements local recipe DB, ingredient matching, favorites and shopping-list JSON files and nutrition summaries — all reasonable for this purpose. Minor inconsistency: SKILL.md shows a storage path under ~/.openclaw/workspace/recipe-finder/, while recipe_finder.py writes favorites/shopping_list.json next to the code (DATA_DIR = Path(__file__).parent). This is a functional mismatch but not a permissions/credential issue.
Instruction Scope
SKILL.md confines operations to recommending recipes and storing favorites/shopping lists. It declares file read/write for favorites and does not enable network access. The instructions reference a specific user workspace path (~/.openclaw/workspace/recipe-finder/...), but the bundled Python uses its own directory for data files — review/confirm which path will be used at runtime. No instructions ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
No install spec; this is instruction+code only. There are no external downloads, package installs, or unknown URLs. Risk from install mechanism is low.
Credentials
The skill requests no environment variables or external credentials. The only access is local file read/write for favorites and shopping_list, which is proportionate to the stated features.
Persistence & Privilege
always is false and the skill does not declare any elevated or system-wide persistence. It appears to only create/read JSON files in its data directory (or the workspace path referenced in SKILL.md). It does not modify other skills or global agent settings.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contains unicode-control-character patterns flagged as potential prompt-injection. A recipe skill wouldn't normally need hidden control characters; this may be an accidental encoding/formatting issue or a benign artifact (e.g., invisible whitespace). It's worth inspecting SKILL.md for hidden characters before trusting the skill.
Assessment
This skill is internally consistent with its stated purpose: it recommends recipes and stores favorites/shopping lists locally and does not request credentials or network access. Before installing: 1) Inspect SKILL.md and recipe_finder.py for any unexpected hidden characters or strings (the static scan flagged unicode-control-chars). Those are often benign but can be used to manipulate prompt parsing; remove or correct them if present. 2) Confirm where data will be stored — SKILL.md references ~/.openclaw/workspace/recipe-finder/, while the code writes files next to the script; decide which location you prefer and verify the paths after installation. 3) Run the skill in a sandbox or with limited permissions if you are cautious; check the created favorites.json and shopping_list.json contents. 4) If you expect remote recipe fetching later, require explicit network permission and review any added network code at that time. If you are comfortable after these checks, the skill's footprint appears reasonable.Like a lobster shell, security has layers — review code before you run it.
latestvk9709m0hc58jgrpf9psyw6rf2n83v4nc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.