Back to skill
Skillv1.0.0
ClawScan security
Gousto Recipes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:52 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's scripts, network calls, and runtime requirements match its stated purpose (searching and fetching Gousto recipes); nothing in the code requests unrelated credentials or hidden endpoints, though the SKILL.md contains a stray reference to a third‑party proxy that the scripts do not use.
- Guidance
- This skill is internally consistent for fetching and searching Gousto recipes. Before installing: review the scripts locally (they are short and readable), be aware update-cache.sh will make many API requests and create data/recipes.json in the skill folder (it's gitignored), and confirm you are comfortable the calls go to production-api.gousto.co.uk. The mention of 'vfjr.dev proxy' in SKILL.md/README appears to be a stale note — if that concerns you, ask the author or search the repo for any references to that proxy; otherwise the shipped scripts do not use it. If you run this in a restricted environment, consider running update-cache.sh manually to control network usage and check for rate limits.
Review Dimensions
- Purpose & Capability
- okName/description (browse/search Gousto recipes) align with the actual files and required binaries. The scripts use curl/jq to call Gousto's production API and build a local cache — exactly what's needed for the stated functionality.
- Instruction Scope
- noteRuntime instructions tell the agent to run update-cache.sh, search.sh, and recipe.sh which only read/write the skill's data directory and call the official Gousto API. One inconsistency: SKILL.md/README mention a 'vfjr.dev proxy' in a note, but none of the scripts use that proxy — they call production-api.gousto.co.uk directly. This appears to be a stale comment rather than active behavior.
- Install Mechanism
- okNo install spec (instruction-only with shipped shell scripts). No downloads from untrusted URLs, no package installs. The risk is low: scripts are executed locally and create a gitignored data/recipes.json cache.
- Credentials
- okThe skill requests no environment variables or credentials. Scripts do not read other env vars or system config. All network calls go to Gousto's API; no secret exfiltration or unrelated credential access is present.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system-wide config. It writes only to its own data/recipes.json cache in the skill directory.