Plan2meal
v1.2.5Manage recipes and grocery lists from your Plan2Meal React Native app. Add recipes from URLs, search, view, and manage your grocery lists.
⭐ 5· 4k·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description, commands, and source code align: the code implements recipe extraction, storage, search, and grocery-list operations against a Convex backend. However, registry metadata claims no required environment variables or primary credential while SKILL.md and the code clearly require CONVEX_URL, OAuth client IDs/secrets, and CLAWDBOT_URL. That mismatch between declared registry requirements and the actual runtime requirements is an incoherence to verify with the publisher.
Instruction Scope
SKILL.md instructions are scoped to Plan2Meal actions (login, add/list/search/show/delete recipes, grocery lists). The instructions explicitly disclose data routing (shared default backend) and instruct how to configure env vars. The runtime code only uses declared config and session state (no unexpected file reads or broad 'gather context' steps).
Install Mechanism
There is no install spec (the skill is labeled as instruction-only), but the package includes full source and a package.json with a single dependency (axios). This is reasonable and low-risk compared to remote downloads, but the absence of an install spec while shipping code is a minor mismatch to be aware of.
Credentials
The skill requires several sensitive environment variables (CONVEX_URL, AUTH_GITHUB_ID, AUTH_GITHUB_SECRET, GITHUB_CALLBACK_URL, CLAWDBOT_URL, plus optional Google/Apple OAuth secrets). These are appropriate for OAuth + remote backend use, but the earlier registry metadata advertised no required env vars/primary credential — an inconsistency. Also note the default shared backend (https://gallant-bass-875.convex.cloud) will receive API/auth traffic unless you set CONVEX_URL to your own endpoint or explicitly opt in with ALLOW_DEFAULT_BACKEND=true; using the shared backend exposes user tokens and data to an external host.
Persistence & Privilege
The skill does not request 'always: true' or other elevated platform privileges. It keeps ephemeral session state in-memory (Map) and does not attempt to modify other skills or system-wide agent settings. Autonomous invocation remains enabled (platform default) but is not flagged here by itself.
What to consider before installing
Before installing: (1) Confirm the discrepancy between the registry metadata (which lists no required env vars) and SKILL.md/code (which require CONVEX_URL, GitHub OAuth client id/secret, GITHUB_CALLBACK_URL, and CLAWDBOT_URL). Do not set CONVEX_URL to the shared default unless you trust that external host; prefer self-hosting your Convex backend and only set ALLOW_DEFAULT_BACKEND=true if you intentionally accept routing to https://gallant-bass-875.convex.cloud. (2) Treat OAuth client secrets as sensitive — only provide client IDs/secrets you control and understand who will receive callbacks. (3) Review the included source locally (package.json, src/) if you can; the code is small and transparent and uses axios to call the configured backend endpoints (/api/query, /api/mutation, /api/action). (4) If you have doubts about the publisher or why registry metadata omits required env vars, ask the publisher to explain or fix the metadata before installing. If you proceed, restrict credentials and use a private CONVEX_URL.Like a lobster shell, security has layers — review code before you run it.
latestvk9757ny1vkaq8jxx2dkwwevh6h8132c5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.