Mealie API skill
Security checks across malware telemetry and agentic risk
Overview
This Mealie skill is not malicious, but it needs review because its documented helper can upload arbitrary local files and make persistent changes to a Mealie account.
Install only if you trust the publisher and want an agent to manage your Mealie instance. Before using write commands, create the JSON payload in a known temporary file, inspect the payload and target URL, and confirm the action explicitly. Do not let prompts choose arbitrary file paths for add-recipe or create-plan, and keep MEALIE_TOKEN out of chat logs and shared shells.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
55/55 vendors flagged this skill as clean.