Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meal Suggester
v1.1.0Quick dinner companion blending taste profiles, inventory tracking, and learning-based recipe rotation. Use to generate ≤25‑minute meals, log ingredients, and build shopping suggestions that respect both your and your partner’s preferences.
⭐ 0· 1.4k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description (meal suggestion + inventory tracking + learning) align with the repository structure (preferences, inventory, history files). However, the single executable (scripts/suggest-meal.sh) only selects a random recipe from an internal list and appends a simple entry to history — it does not parse inventory/preferences, does not update stock or shopping-list, and does not implement a learning algorithm. The claimed capabilities are disproportionate to what the code actually does.
Instruction Scope
SKILL.md and README instruct the agent to read inventory, check preferences, auto-update stock from user messages, build shopping lists, and schedule a daily cron reminder. The script only prints a recipe and appends a 'Suggested' line to history; there is no parsing of user input, no code to update inventory/ shopping-list, no preference-driven selection, and no cron installation. Instructions therefore overreach the implemented runtime behavior.
Install Mechanism
No install spec is present (instruction-only skill with a bundled script). Nothing is downloaded or executed from external URLs. The only runtime action is a local shell script that reads/writes files within the skill directory — low install risk.
Credentials
The skill declares no required environment variables, no credentials, and no special config paths. The files include sensitive user data (allergy and preference markdown files), but all access is local; no external credential requests or network endpoints are present in the provided code.
Persistence & Privilege
always:false and normal invocation semantics. The script appends to inventory/history.md (i.e., it writes to disk within the skill directory). The documentation mentions a cron job at 19:00 but no code installs it — cron setup would be a manual step. The skill does not attempt to modify other skills or system-wide config, but it does persist history locally.
What to consider before installing
This skill appears to be low-risk from a security standpoint (no network calls, no credentials), but it's inconsistent: the docs promise inventory-aware, preference-driven suggestions, automated stock/shopping‑list updates, and learning, while the script only picks a random recipe and appends a history line. Before installing or relying on it: 1) Inspect scripts/suggest-meal.sh yourself (it only writes to files under the skill directory). 2) Treat preferences/ allergy files as local sensitive data since they are stored plaintext in the skill folder. 3) Don’t assume the cron job or automatic inventory updates are installed — you would need to add cron or extend the script to parse user input and update stock/shopping-list. 4) If you want the missing features, ask the maintainer for a clear implementation or modify the script locally; run it in a sandbox or with test files first. If you need stronger assurance that the skill is implemented as described, request a version that actually reads/parses inventory and preferences and includes tests or an explicit cron/install step.Like a lobster shell, security has layers — review code before you run it.
latestvk977390faxepg2ca68tdans4c180yc7z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.