Plan2meal
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Plan2Meal integration, but it needs review because its OAuth session handling can fall back to a shared default session and the registry under-declares its credential needs.
Review before installing. Use a trusted or self-hosted CONVEX_URL, only opt into the shared backend knowingly, and avoid using this skill in a runtime that might omit unique session IDs. The maintainer should fix the shared default session fallback and update registry credential metadata.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended command could delete a recipe or change a grocery list.
The skill exposes commands that mutate or delete Plan2Meal data. These actions are purpose-aligned and user-invoked, but they are consequential.
`plan2meal delete <id>` ... `plan2meal list-create <name>` ... `plan2meal list-add <listId> <recipeId>`
Use destructive commands only with explicit user intent, and verify IDs before deleting or modifying lists.
If the runtime omits or reuses session IDs, one user's Plan2Meal login could be reused for another request, allowing recipe or grocery-list access under the wrong account.
OAuth sessions are retained in memory and keyed by sessionId, but the code falls back to a shared 'default' key when no sessionId is provided.
const SESSION_TTL_MS = 1000 * 60 * 60 * 24 * 7; ... const sessionStore = new Map<string, Session>(); ... const sessionId = context.sessionId || 'default';
Require a unique user/session identifier for every OAuth flow, remove the shared default session fallback, and bind OAuth state and tokens to that identity.
Users relying on registry metadata may not realize the skill needs OAuth and backend configuration until reading the skill file.
The registry metadata does not advertise credentials, while SKILL.md declares required backend and OAuth environment variables.
Required env vars: none; Env var declarations: none; Primary credential: none
Update registry metadata to declare the required environment variables and credential expectations.
Recipe, grocery-list, and authentication-related traffic will not be local-only.
The skill sends authentication and recipe/grocery data to a backend service. This is disclosed and purpose-aligned, with shared-backend use gated by an opt-in flag.
Auth and recipe/grocery API traffic goes to configured `CONVEX_URL`. Shared backend usage is blocked unless `ALLOW_DEFAULT_BACKEND=true`.
Use a self-hosted or trusted `CONVEX_URL` for private data, and only set `ALLOW_DEFAULT_BACKEND=true` if you intentionally accept the shared backend.
It is harder to verify who maintains the code or compare it against an upstream project.
The registry does not provide a source repository or homepage for provenance review. No remote install script or hidden helper is shown, so this is a provenance note rather than a standalone concern.
Source: unknown; Homepage: none
Prefer packages with a public source link, changelog, and reproducible build path, especially when OAuth and backend access are involved.