Bring Recipes
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: bring-recipes Version: 0.1.0 The provided `SKILL.md` and `_meta.json` files describe a CLI tool for browsing recipes from the Bring! app. The `SKILL.md` clearly outlines the skill's purpose, usage, and limitations. It includes standard installation instructions (`npm install`) and mentions the use of environment variables for authentication (`BRING_EMAIL`, `BRING_PASSWORD`), which are necessary for interacting with an authenticated API. There is no evidence of prompt injection against the agent, data exfiltration, malicious execution, persistence mechanisms, or obfuscation within the provided documentation. The described behaviors are aligned with the stated purpose, and any potentially risky capabilities (like `npm install` or handling credentials) are plausibly needed for the skill's functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the CLI would rely on the user's Bring login details, so the user should trust the code and avoid exposing these environment variables.
The skill instructs users to provide Bring account credentials via environment variables. This is expected for accessing Bring personal recipe data, but it is sensitive authority and is not reflected in the registry's declared credentials.
export BRING_EMAIL="your@email.com" export BRING_PASSWORD="yourpassword"
Use a dedicated or least-sensitive account if possible, avoid saving the password in shared shell profiles, and verify the actual CLI code/dependencies before entering credentials.
A user following the instructions may install and run code that is not included in the reviewed artifact set.
The instructions direct a user to install Node dependencies for a CLI, and the same file references node-bring-api v2.0.2+. This is normal for a CLI skill, but the submitted artifacts include only SKILL.md, so the actual package contents are not visible here.
cd skills/bring-recipes npm install
Before running npm install or node index.js, inspect the package files and dependency versions from the actual installed source.