masterchef
PassAudited by ClawScan on May 8, 2026.
Overview
This recipe assistant appears purpose-aligned, but users should know it uses Bash/curl to send recipe or ingredient queries to an external API.
This skill looks safe for ordinary recipe and ingredient questions. Before installing, note that it relies on an external service and grants Bash access for curl-based API calls, so avoid putting private information into recipe requests.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misapplies the skill, Bash could theoretically be used for commands beyond recipe API calls, although the visible instructions only show curl calls to the recipe service.
The skill grants Bash access even though the documented use is only to run curl requests to the recipe API. This is purpose-aligned, but Bash is a broad tool compared with a scoped HTTP request capability.
allowed-tools: [Bash]
Use the skill for recipe queries only, and prefer a narrower HTTP/API tool if the platform supports one.
Recipe or ingredient queries may be sent to api.yummy.chat for processing.
The skill sends ingredient or dish-name queries to an external API provider. This is disclosed and central to the recipe-assistant purpose, but it is still a third-party data flow.
Endpoint: `POST https://api.yummy.chat/ingredients` ... `POST https://api.yummy.chat/howtocook`
Avoid including unrelated personal or sensitive information in recipe prompts.