Clawdbot Skill Cookidoo
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for Cookidoo recipe and shopping-list access, but it requires Cookidoo login credentials and an unpinned unofficial Python dependency.
Install only if you are comfortable giving the agent access to your Cookidoo account data. Store the Cookidoo password securely, verify or pin the unofficial `cookidoo-api` dependency, and review any future syncing/export workflows before allowing data to be sent to other apps.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill gives the agent a path to access Cookidoo account data such as recipes, shopping lists, subscription/account info, and recipe details.
The script uses the user's Cookidoo email and password to log in. This is expected for the stated Cookidoo integration and the code does not print the password, but it is still account-level credential access.
email = os.environ.get("COOKIDOO_EMAIL") ... password = os.environ.get("COOKIDOO_PASSWORD") ... async with Cookidoo(email, password) as cookidoo:Only configure the credentials if you trust the skill and dependency; keep the env file private, avoid committing it, and remove the credentials when no longer needed.
A changed or compromised dependency could affect how Cookidoo credentials and account data are handled.
The skill depends on an unofficial PyPI package and does not pin a version. This is central to the skill's purpose, but it adds third-party supply-chain trust.
via the unofficial [cookidoo-api](https://pypi.org/project/cookidoo-api/) Python package ... pip install cookidoo-api
Install in a virtual environment, verify the PyPI package/source before use, and consider pinning a known-good version.
A user relying only on the registry summary could underestimate that the skill needs Cookidoo account credentials.
The registry-level requirement summary under-declares credentials even though SKILL.md and package.json disclose required Cookidoo email/password. This appears to be a metadata clarity issue rather than hidden behavior.
Required env vars: none ... Primary credential: none
Review SKILL.md/package.json before installation and ensure ClawHub metadata accurately declares required credentials.