ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok To Mealie

v1.2.0

Extract recipe information from TikTok links, reconstruct a clean recipe, localize it to the user's language when needed, and import it into Mealie. Use when...

0· 154·0 current·0 all-time
by@elyasuuuuu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name and description (convert TikTok recipes and import to Mealie) match the SKILL.md and reference docs. The actions described (resolve TikTok URL, extract text, reconstruct recipe, upload to Mealie, upload image) are consistent with the stated purpose.
Instruction Scope
The runtime instructions are focused on extraction, reconstruction, localization, and calling Mealie APIs. They instruct resolving final TikTok URLs, downloading cover images, and creating/fetching/uploading recipes in Mealie. The skill also instructs reading configuration from environment variables or local secret files (~/.openclaw/secrets); that is within the skill's needs but is sensitive and should have been declared explicitly.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install mechanism.
!
Credentials
The documentation and SKILL.md require a Mealie base URL and API token (recommended env vars MEALIE_BASE_URL and MEALIE_API_TOKEN or local secret files). However, the registry metadata lists no required environment variables or credentials. This mismatch is disproportionate/untracked: the skill needs secrets to function (and can read local secret file paths), but the platform metadata doesn't declare or surface that need.
Persistence & Privilege
always:false (normal). The skill may be invoked autonomously (disable-model-invocation:false) which is the platform default; combined with the missing-declaration of required credentials this increases the chance of unintended automated imports if the platform allows the skill to access secrets without explicit consent.
What to consider before installing
This skill appears to do what it says, but the registry metadata failed to declare the Mealie credentials and secret-file access it expects. Before installing or enabling it: 1) Confirm how your OpenClaw environment grants skills access to environment variables and local files (will it prompt you or allow silent reads of ~/.openclaw/secrets?). 2) Only provide MEALIE_BASE_URL and MEALIE_API_TOKEN if you trust the skill and the platform; prefer a dedicated API token with limited scope. 3) If you want stricter control, require explicit user confirmation before the skill performs imports (so it can't auto-create recipes). 4) Ask the skill publisher to update the registry metadata to list the required env vars (MEALIE_BASE_URL, MEALIE_API_TOKEN) so the platform can surface permissions correctly. 5) Run initial tests with a throwaway/dedicated Mealie instance or token to validate behavior before using real data.

Like a lobster shell, security has layers — review code before you run it.

latestvk978k861bx8akwtjbqmptsdjhs830hy6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments