Bring Recipes
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the CLI would rely on the user's Bring login details, so the user should trust the code and avoid exposing these environment variables.
The skill instructs users to provide Bring account credentials via environment variables. This is expected for accessing Bring personal recipe data, but it is sensitive authority and is not reflected in the registry's declared credentials.
export BRING_EMAIL="your@email.com" export BRING_PASSWORD="yourpassword"
Use a dedicated or least-sensitive account if possible, avoid saving the password in shared shell profiles, and verify the actual CLI code/dependencies before entering credentials.
A user following the instructions may install and run code that is not included in the reviewed artifact set.
The instructions direct a user to install Node dependencies for a CLI, and the same file references node-bring-api v2.0.2+. This is normal for a CLI skill, but the submitted artifacts include only SKILL.md, so the actual package contents are not visible here.
cd skills/bring-recipes npm install
Before running npm install or node index.js, inspect the package files and dependency versions from the actual installed source.