ClawHub

Cook Like Hoc

v1.0.1

Search and display recipes from the open-source Gar-b-age/CookLikeHOC repository. Use when the user asks to "cook like hoc", "像老乡鸡那样做饭", "老乡鸡菜谱", "做菜", or wa...

0· 53·0 current·0 all-time
by@xiaoxiangxie
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match implementation: the script fetches the repo tree from GitHub and recipe markdown via the jsDelivr CDN and returns recipe content. The requested capabilities (network fetches of the repository) are appropriate for the stated purpose and there are no unrelated credentials or binaries required.
Instruction Scope
SKILL.md instructs the agent to run the included Python script from the skill folder. The script only reads/writes a cache file inside the skill directory, queries the GitHub tree API, and fetches raw markdown via jsDelivr. It does not attempt to read unrelated system files or send data to unexpected endpoints.
Install Mechanism
No install spec; this is instruction/code-only. There are no remote installers or downloads performed by an installer step. The only network activity is the script fetching repository data at runtime (GitHub API and jsDelivr), which is expected.
Credentials
The script will optionally read a GITHUB_TOKEN environment variable (os.environ.get('GITHUB_TOKEN')) and add it to the Authorization header to increase API rate limits. The skill metadata does not declare any required env vars. This is plausible for the purpose but worth noting: if a token is present it will be sent to api.github.com (normal GitHub usage).
Persistence & Privilege
always:false and no system-wide config changes. The script writes/updates a cache file (recipe_tree_cache.json) within the skill's scripts directory only; it does not modify other skills or global agent settings.
Assessment
This skill is coherent for fetching recipes from the referenced GitHub repo. Before installing, be aware that: (1) the script makes outbound HTTP(S) requests to api.github.com and to jsDelivr (fastly.jsdelivr.net) to list and fetch files; (2) if you have a GITHUB_TOKEN environment variable set, the script will read it and use it in an Authorization header to GitHub (this is optional and used only to raise API rate limits) — remove or limit that token if you don't want it used; (3) the script writes a local cache file (recipe_tree_cache.json) inside the skill directory and may update it. If those behaviors are acceptable, the skill appears safe and consistent with its description. If you want extra caution, inspect the included files yourself or run the script in a sandboxed environment (no token, restricted network) first.

Like a lobster shell, security has layers — review code before you run it.

latestvk973j46y2be2k9n35ebb4d37g184s6c4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments