Tandoor Recipe
PassAudited by ClawScan on May 10, 2026.
Overview
This skill coherently uses a Tandoor API token to manage recipes, meal plans, and shopping lists, with expected account-changing commands that users should confirm.
Install this if you want an agent to manage your Tandoor recipes, meal plans, and shopping list. Make sure TANDOOR_URL is your real Tandoor instance, protect the API token, and require confirmation before the agent creates, updates, checks off, or deletes items.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the token to read and modify the Tandoor data allowed by that token.
The skill authenticates to the configured Tandoor instance with an API token. This is necessary and disclosed for the integration, but the token grants account access.
const token = process.env.TANDOOR_API_TOKEN; ... 'Authorization': `Bearer ${TANDOOR_API_TOKEN}`Use a token with the least necessary permissions if Tandoor supports it, keep it in environment variables, and verify TANDOOR_URL points to your intended server.
An accidental or overly broad agent action could create recipes, add meal plans or shopping items, check items off, or remove shopping-list entries.
The CLI exposes mutation and deletion operations for Tandoor objects. These are purpose-aligned and documented, but they can change or remove account data.
await apiRequestRaw('/api/recipe/', { method: 'POST', body: payload }); ... await apiRequestRaw(`/api/shopping-list-entry/${itemId}/`, { method: 'DELETE' });Review and confirm create, update, and delete actions, especially commands that remove multiple checked shopping-list items.