Gousto Recipes

Security checks across malware telemetry and agentic risk

Overview

This skill only searches and fetches public Gousto recipes, with a minor documentation mismatch about a proxy that the included scripts do not use.

Install only if you are comfortable with the skill contacting Gousto's public API and storing a local recipe cache. The vfjr.dev mention appears to be stale documentation, but it should be clarified by the publisher.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The documentation presents recipe retrieval as using the official Gousto API, but later states that recipe fetch requires a vfjr.dev proxy. This inconsistency can mislead users about the true data path, causing them to send requests or trust responses from an undisclosed third-party service that could log queries, modify content, or fail open in unexpected ways.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill notes mention that recipe fetching requires network access, but there is no clear user-facing warning that executing the recipe command will make external requests, potentially to a non-official proxy. While low severity in a recipe context, undisclosed outbound requests reduce transparency and can expose user metadata such as IP address, timing, and queried recipe identifiers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal