Cookidoo
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill fits its Cookidoo meal-planning purpose, but it stores Cookidoo login/session data locally without a clear credential declaration or consistent storage documentation.
Review the credential handling before installing. Use OAuth rather than passing a password on the command line where possible, confirm any meal-plan or shopping-list changes, and know how to delete local files such as cookidoo_cookies.json, cookidoo_search_token.json, ~/.tmx_config.json, or any documented secrets file when you are done.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may leave reusable Cookidoo session data on disk, and another process or later task with access to that directory could potentially reuse it.
The bundled CLI persists Cookidoo session cookies and a search token locally. This is purpose-aligned for an OAuth integration, but the registry metadata declares no credential/config requirement and the docs give inconsistent storage descriptions, so the credential boundary is not clearly disclosed.
COOKIES_FILE = SCRIPT_DIR / "cookidoo_cookies.json" ... SEARCH_TOKEN_FILE = SCRIPT_DIR / "cookidoo_search_token.json" ... "Save cookies from CookieJar to JSON file"
Clearly declare the Cookidoo credential/session requirement, document the exact storage paths and cleanup command, and avoid storing raw passwords; users should remove session files when they no longer need the skill.
A mistaken or overly broad request could alter a meal plan, favorites, or shopping list.
The CLI can change or clear Cookidoo shopping-list and meal-plan data. This matches the skill purpose and includes a confirmation rule, but users should still understand that the agent can mutate account data when asked.
Confirm before destructive actions (shopping clear, plan remove). ... tmx shopping clear # clear entire list ⚠️
Keep confirmations for clear/remove actions and ask the user to review planned mutations before applying them.
If a user follows the README install path instead of the bundled skill file, they may run unreviewed updated code from GitHub.
The README includes an unpinned GitHub run/install example. This is documentation rather than the active install spec, and the reviewed skill includes a bundled Python file, but following the README would execute whatever code is currently at that upstream repository.
uvx --from git+https://github.com/Lars147/tmx-cli tmx login
Use the bundled reviewed file or pin/verify the upstream commit before running GitHub-based install commands.