Back to skill

Security audit

Cookidoo

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Cookidoo meal-planning tool, but it needs review because it can change account data and stores session material locally with limited safeguards.

Install only if you are comfortable letting this skill access and modify your Cookidoo account. Prefer interactive login, do not use --password in commands, protect the local skill/cache files, confirm removals or shopping-list clears before running them, and clear cookies/tokens when you no longer need the integration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, yet its documented behavior clearly involves network access to Cookidoo, local file reads for bundled references/config, and likely file writes for setup, auth state, or exports. This mismatch reduces transparency and weakens enforcement or review, making it easier for a user or platform to invoke a skill with broader capabilities than expected.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README explicitly documents `tmx login --email user@example.com --password secret`, which encourages passing credentials on the command line. Command-line arguments are commonly exposed via shell history, process listings, audit logs, and agent/tool telemetry, so this can leak Cookidoo credentials to other local users or logging systems.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The description includes many broad trigger terms such as 'recipe', 'meal plan', and 'shopping list', which can cause the skill to activate in situations the user did not specifically intend. In a network-connected skill that can modify plans and shopping lists, overbroad invocation increases the chance of unintended actions or unnecessary exposure of account-linked data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly states that Cookidoo credentials are stored in a local file (`secrets/cookidoo.env`) but provides no warning about plaintext secret handling, file permissions, encryption, or safer alternatives such as token-based storage. In an agent/skill context, this can normalize insecure secret management and increase the chance that credentials are exposed via source control, local filesystem compromise, backups, or debug output.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Accepting a password via a CLI argument is dangerous because command-line arguments are commonly exposed through shell history, process listings, audit logs, and job runners. In this skill’s context, the password grants access to the user’s Cookidoo account and related personal meal-planning data, so accidental disclosure is realistic and avoidable.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Session cookies are persisted to disk in JSON without any visible permission hardening or user warning. Anyone with local access to the file can potentially reuse the authenticated session to access the victim’s Cookidoo account, making this a credential/session theft risk rather than just a convenience feature.

Missing User Warnings

Low
Confidence
83% confidence
Finding
Caching the search token to disk creates persistent local exposure of an access token that may remain usable until expiry. While lower impact than full session cookies, it still increases the blast radius of local compromise and should be treated as sensitive cached auth material.

Session Persistence

Medium
Category
Rogue Agent
Content
errors.append(f"{cat_id}: Kategorie-Name nicht gefunden")
            continue
        
        # Create URL-friendly key
        cat_key = cat_name.lower().replace(" ", "-").replace("ä", "ae").replace("ö", "oe").replace("ü", "ue").replace("ß", "ss")
        cat_key = re.sub(r'[^a-z0-9-]', '', cat_key)
Confidence
95% confidence
Finding
Create URL-friendly key cat_key = cat_name.lower().replace(" ", "-").replace("ä", "ae").replace("ö", "oe").replace("ü", "ue").replace("ß", "ss") cat_key = re.sub(r'[^a-z0-9-]', '', cat

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.