Cookidoo Thermomix
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: cookidoo-thermomix Version: 1.0.0 The skill is designed to interact with the Cookidoo (Thermomix) platform via an unofficial API. It requires `COOKIDOO_EMAIL` and `COOKIDOO_PASSWORD` environment variables, which are used solely for authentication with the legitimate `tmmobile.vorwerk-digital.com` API endpoint. The `SKILL.md` instructions are clear and do not contain any prompt injection attempts. The `scripts/cookidoo.py` code uses standard Python libraries (`urllib`, `json`) for network communication and JSON parsing, without any use of `os.system`, `subprocess`, `eval`, or `exec`. There is no evidence of data exfiltration to unauthorized domains, persistence mechanisms, or other malicious intent. The hardcoded client secrets are for the Cookidoo API itself, not user credentials, and are part of the reverse-engineered API interaction.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide Cookidoo login credentials to the local script, which can access account data through the Cookidoo API.
The skill requires the user's Cookidoo account credentials. This is expected for a Cookidoo integration, but it grants account-level access and is not reflected in the registry metadata's credential declarations.
COOKIDOO_EMAIL=user@example.com COOKIDOO_PASSWORD=secret
Use a trusted environment, avoid sharing logs or terminal output containing credentials, and remove the environment variables when no longer needed.
If invoked unintentionally, the agent could remove shopping-list items, calendar entries, or custom collections from the user's Cookidoo account.
The skill exposes commands that can change or delete Cookidoo account data. These commands are disclosed and related to the stated purpose, but they are still mutating actions.
`shopping-clear` | Clear entire shopping list `collection-remove <id>` | Delete custom collection
Ask the agent to confirm destructive or bulk changes before running commands such as shopping-clear, calendar-remove, or collection-remove.
The integration may break, behave differently from the official app, or depend on private API behavior that users cannot easily verify.
The skill relies on an unofficial, reverse-engineered Cookidoo API rather than an official supported integration. This is disclosed and central to the skill's purpose, but it affects trust and reliability.
No official API — based on reverse-engineering the Android app
Review the script before use and understand that this is an unofficial integration, not a Vorwerk-supported Cookidoo client.