Clawdbot Skill Cookidoo
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill gives the agent a path to access Cookidoo account data such as recipes, shopping lists, subscription/account info, and recipe details.
The script uses the user's Cookidoo email and password to log in. This is expected for the stated Cookidoo integration and the code does not print the password, but it is still account-level credential access.
email = os.environ.get("COOKIDOO_EMAIL") ... password = os.environ.get("COOKIDOO_PASSWORD") ... async with Cookidoo(email, password) as cookidoo:Only configure the credentials if you trust the skill and dependency; keep the env file private, avoid committing it, and remove the credentials when no longer needed.
A changed or compromised dependency could affect how Cookidoo credentials and account data are handled.
The skill depends on an unofficial PyPI package and does not pin a version. This is central to the skill's purpose, but it adds third-party supply-chain trust.
via the unofficial [cookidoo-api](https://pypi.org/project/cookidoo-api/) Python package ... pip install cookidoo-api
Install in a virtual environment, verify the PyPI package/source before use, and consider pinning a known-good version.
A user relying only on the registry summary could underestimate that the skill needs Cookidoo account credentials.
The registry-level requirement summary under-declares credentials even though SKILL.md and package.json disclose required Cookidoo email/password. This appears to be a metadata clarity issue rather than hidden behavior.
Required env vars: none ... Primary credential: none
Review SKILL.md/package.json before installation and ensure ClawHub metadata accurately declares required credentials.