ClawHub
Back to skill
v1.0.0

Seth Receitas Ptbr

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:30 AM.

Analysis

Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.

GuidanceThis appears safe to use for recipe lookup. Before installing, note that it runs bundled Python code, sends recipe or ingredient searches to public recipe/nutrition services, and stores a local cache; avoid sensitive personal diet details if that matters to you, and clear the cache when desired. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The skill does not provide an upstream source or homepage, which reduces provenance transparency, though the visible artifacts do not show hidden installs or suspicious dependencies.

User impactIt is harder to independently verify where the bundled code came from.
RecommendationReview the included files before installing and prefer skills that publish a verifiable source or homepage.
Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
SKILL.md
python3 ~/.openclaw/workspace/skills/seth-receitas-ptbr/src/cli.py buscar --q "bolo de cenoura"

The documented workflow runs a bundled Python CLI. This is expected for the skill and user-directed, but it is still local code execution.

User impactUsing the skill may execute its local Python files to perform recipe lookups.
RecommendationRun only the documented commands you intend to use and keep execution limited to the bundled skill directory.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Esta skill busca receitas completas em português do Brasil usando apenas fontes legais:
- **Wikilivros**
- **TheMealDB**

Recipe searches are intentionally sent to public external providers. The providers are disclosed and purpose-aligned, with no credential use shown.

User impactRecipe search terms or ingredient lists may leave the local environment and be sent to public recipe services.
RecommendationAvoid including sensitive health, dietary, or household details in searches if you do not want them sent to those services.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
src/cache.py
self.cache_file = os.path.join(cache_dir, "cache.json")

The skill persists cached API responses locally in a JSON cache. This is disclosed and scoped, but stored recipe/search data can be reused across later runs.

User impactPrior recipe lookups and fetched recipe content may remain on disk until expired or cleared.
RecommendationClear state/cache.json if you want to remove cached recipe data or if cached results look stale or unexpected.