v3.0.1

Taste

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:34 AM.

Analysis

Taste has a coherent recommendation goal, but it asks to read private email/calendar data, store a detailed consumption history, and run daily self-updates from GitHub, so it needs careful review before installation.

GuidanceReview this skill before installing. It is only appropriate if you explicitly want an agent to scan your email and calendar, store a long-term consumption profile, and use external enrichment services. Disable or remove the daily self-update cron job unless you specifically trust the GitHub source and update process, and confirm how to inspect, limit, and delete the stored data.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityHighConfidenceHighStatusConcern

README.md

`taste.init` runs automatically on first invocation ... registers the `taste:update` cron job (midnight daily) for automatic self-updates.

The skill instructs automatic first-run persistence and a recurring cron job that continues operating after the immediate user task. This is not necessary for one-off recommendations and is not clearly opt-in.

User impactThe skill may keep changing itself or its local files on a daily schedule even when the user is not actively asking for recommendations.

RecommendationDisable automatic cron registration by default. Require explicit user opt-in, show the exact cron entry, and provide a documented uninstall/disable command.

Agentic Supply Chain Vulnerabilities

SeverityHighConfidenceHighStatusConcern

README.md

| `taste:update` | cron | `0 0 * * *` (midnight daily) | Self-update from GitHub source |

Daily self-updates from a remote GitHub source are described without artifact evidence of pinning, signature verification, changelog approval, or user review before new instructions are adopted.

User impactFuture remote changes could alter the skill's behavior or data handling without the user reviewing the new version first.

RecommendationUse pinned releases or commit hashes, verify updates, require manual approval before applying updates, and disclose exactly what files or instructions are replaced.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

references/journal.md

Taste ingests signals and produces recommendations -- no external side effects.

This statement conflicts with other artifacts that describe email/calendar scanning, persistent JSONL writes, external Maps/web enrichment, and cron-based self-updates. It could cause users to underestimate the skill's operational impact.

User impactA user may believe the skill is only observational when it actually changes local state, performs external lookups, and installs persistent scheduled behavior.

RecommendationRevise the documentation to accurately list all side effects, including account reads, local writes, provider lookups, journals, and scheduled updates.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

references/email_extraction.md

Access the user's email account ... read full body when needed ... Access the user's Google Calendar for restaurant reservations and hotel bookings

The skill requires access to private email bodies and calendar data to build its model. This is purpose-aligned, but it is high-impact account authority and the artifacts do not show a least-privilege credential or permission contract.

User impactThe agent may read sensitive receipts, orders, reservations, travel bookings, and calendar details from the user's accounts.

RecommendationInstall only if you are comfortable granting this access. Require explicit approval before scans, use the narrowest available OAuth scopes or account permissions, and review the sender allowlist and calendar scope.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

references/schemas.md

Stored in `extractions.jsonl` ... `source_message_id` ... `confirmation_number` ... `items` ... `total_amount` ... `location` ... `party_size`

The skill persists detailed extracted email/calendar-derived purchase, travel, and reservation metadata. The artifacts describe storage but do not define retention limits, deletion controls, encryption, or rules for excluding sensitive records.

User impactA durable local taste profile could contain detailed spending, travel, location, and dining patterns that may be sensitive if reused, shared, or exposed later.

RecommendationBefore installing, confirm where data is stored, how to inspect and delete it, whether it is encrypted, and whether sensitive categories can be excluded from scans.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

references/enrichment.md

Automatically after `taste.scan` for newly created items ... Google Maps — primary source ... Web search — backup.

External provider lookups are disclosed and purpose-aligned for enrichment, but they may reveal venue, product, city, or other consumption-derived data to Google Maps or web search providers.

User impactPrivate consumption-derived names and locations may be sent to external services as part of enrichment.

RecommendationMake enrichment opt-in or clearly disclose what fields are sent externally; allow users to disable web search or Maps enrichment for sensitive items.