Cookidoo Thermomix
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide Cookidoo login credentials to the local script, which can access account data through the Cookidoo API.
The skill requires the user's Cookidoo account credentials. This is expected for a Cookidoo integration, but it grants account-level access and is not reflected in the registry metadata's credential declarations.
COOKIDOO_EMAIL=user@example.com COOKIDOO_PASSWORD=secret
Use a trusted environment, avoid sharing logs or terminal output containing credentials, and remove the environment variables when no longer needed.
If invoked unintentionally, the agent could remove shopping-list items, calendar entries, or custom collections from the user's Cookidoo account.
The skill exposes commands that can change or delete Cookidoo account data. These commands are disclosed and related to the stated purpose, but they are still mutating actions.
`shopping-clear` | Clear entire shopping list `collection-remove <id>` | Delete custom collection
Ask the agent to confirm destructive or bulk changes before running commands such as shopping-clear, calendar-remove, or collection-remove.
The integration may break, behave differently from the official app, or depend on private API behavior that users cannot easily verify.
The skill relies on an unofficial, reverse-engineered Cookidoo API rather than an official supported integration. This is disclosed and central to the skill's purpose, but it affects trust and reliability.
No official API — based on reverse-engineering the Android app
Review the script before use and understand that this is an unofficial integration, not a Vorwerk-supported Cookidoo client.