Cooking Recipe
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is presented as a simple recipe helper, but its instructions describe an account-backed recipe and grocery-list system using an external backend and OAuth secrets that are not declared in the registry metadata.
Before installing, treat this as an account-backed recipe/grocery-list manager, not just a recipe generator. Verify the full package source, use a trusted or self-hosted backend, and do not provide OAuth client secrets unless you understand why they are needed and trust the implementation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install it expecting a simple recipe generator, but the skill is actually framed around stored account data, backend traffic, and recipe/list management actions.
This expands the behavior beyond the registry description of making a recipe from ingredients into backend-backed recipe and grocery-list management, which may cause users to underestimate what the skill does.
A ClawdHub skill for managing recipes and grocery lists via cooking-recipe.
Update the public description and metadata to clearly state backend-backed recipe and grocery-list management, authentication, and supported data mutations before users install it.
Users could be asked to provide sensitive OAuth app secrets for a cooking skill without that requirement being visible in the registry metadata.
The skill asks for OAuth provider client secrets and callback configuration, but the registry declares no required environment variables and no primary credential.
OAuth provider creds:
- GitHub (required): `AUTH_GITHUB_ID`, `AUTH_GITHUB_SECRET`, `GITHUB_CALLBACK_URL`
- Google (optional): `AUTH_GOOGLE_ID`, `AUTH_GOOGLE_SECRET`, `GOOGLE_CALLBACK_URL`
- Apple (optional): `AUTH_APPLE_ID`, `AUTH_APPLE_SECRET`, `APPLE_CALLBACK_URL`Do not provide OAuth secrets unless you trust the implementation and backend; the publisher should declare these credentials in metadata and explain their scope, storage, and use.
Recipe, grocery-list, and authentication-related traffic may leave the local environment and be processed by a configured or shared backend.
The skill discloses that auth and recipe/grocery data may be sent to an external Convex backend, including a shared default backend if enabled.
Shared backend/API target: `https://123467.convex.cloud` - Auth and recipe/grocery API traffic goes to configured `CONVEX_URL`.
Use a self-hosted or trusted `CONVEX_URL` when possible, and only set `ALLOW_DEFAULT_BACKEND=true` if you intentionally accept the shared backend.
Recipe or grocery-list data could be changed or deleted if these commands are run against the backend.
The command set includes actions that create, modify, and delete stored recipe/list data. These are purpose-aligned but should be clearly confirmed for destructive operations.
`cooking-recipe add <url>` ... `cooking-recipe delete <id>` ... `cooking-recipe list-create <name>` ... `cooking-recipe list-add <listId> <recipeId>`
Require explicit user confirmation before destructive actions such as `delete`, and show the target recipe/list ID before executing.
Users cannot verify from the provided artifacts what code, templates, or configuration files will actually be installed or executed.
The instructions reference setup/template files and CLI behavior that are not present in the supplied one-file manifest, leaving the actual implementation and referenced materials outside this review context.
cp .env.example .env ... Use response formatting templates from `references/output-templates.md`.
Review the full package source and install artifacts before use, and ensure referenced files and CLI commands are included and versioned.