ClawHub

Bring Recipes

v0.1.0

Use when user wants to browse recipe inspirations from Bring! shopping app. For discovering recipes, viewing recipe details (name, author, type, images), or filtering by tags. Note - cannot import ingredients (API limitation).

1· 1.8k·0 current·0 all-time
by@darkdevelopers
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The described purpose (browse Bring! recipe inspirations) reasonably explains needing account credentials for 'mine' filtering and a Node-based CLI; however the registry metadata declares no required env vars or binaries while SKILL.md explicitly asks for BRING_EMAIL and BRING_PASSWORD and Node.js 18+. That mismatch (credentials and Node requirement present only in SKILL.md) is unexpected and incoherent.
!
Instruction Scope
The SKILL.md tells the agent/user to run npm install in skills/bring-recipes and to run node index.js commands, and it documents environment variables. But the skill bundle contains no code files (no index.js or package.json). Instructions therefore refer to files/operations that are not present in the package; following them would cause the agent/user to fetch or execute code outside the provided bundle, which expands the trust boundary.
!
Install Mechanism
There is no declared install spec in the registry, yet SKILL.md instructs running npm install and depends on node-bring-api v2.0.2+. Because the package bundle doesn't include code, these instructions implicitly require pulling packages from npm at runtime. Running npm install without a vetted source or packaged code increases risk (unexpected third-party code execution).
!
Credentials
The CLI needs account credentials (BRING_EMAIL and BRING_PASSWORD) for personal-recipe access — this is plausible and proportional to the stated feature. However, the manifest declares no required env vars (and no primary credential), so the need for credentials is not advertised in metadata. Also storing a password in an environment variable is a sensitive choice; the skill should document alternatives (tokens) and clearly declare required secrets in the registry.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It is user-invocable and permits autonomous invocation (platform default), which is normal and not by itself alarming.
What to consider before installing
Do not run npm install or export your Bring! credentials for this skill until the publisher clarifies and provides the missing code or an official source. Specific checks to request/do: 1) Ask the publisher for the package repository or a packaged bundle (package.json, index.js) and verify its contents before executing anything. 2) Confirm that BRING_EMAIL/BRING_PASSWORD are actually required and whether a scoped API token (read-only) is available instead of your account password. 3) If you must test, run in an isolated environment (container or VM) and inspect all installed npm packages, especially node-bring-api and its dependencies. 4) Prefer skills whose registry metadata lists required env vars and install steps consistently with their SKILL.md. The current mismatches (instructions require code and credentials that are not present/declared) are a red flag — treat this package as incomplete or potentially mispackaged until proven otherwise.

Like a lobster shell, security has layers — review code before you run it.

latestvk978szpjcfy85s0ed1zac5gqbx800zrg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments