Bean Whisperer
v0.2.0Generate espresso brew profiles for GaggiMate Pro on Rancilio Silvia. Use when the user provides a coffee bean (photo or name) and wants a brewing profile cr...
⭐ 0· 58·0 current·0 all-time
byZuhaib Siddique@zsiddique
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The files (generate-profile.py, gaggimate-ws.py, discord-profiles.py), README, and SKILL.md all implement generating and deploying GaggiMate profiles as advertised. Requested binaries are limited to python3, which is appropriate. Minor mismatch: the registry metadata lists no required environment variables, but the code and README expect optional environment overrides (GAGGIMATE_HOST) and an optional DISCORD_TOKEN or token file — this is proportional to the described functionality but should have been declared.
Instruction Scope
Runtime instructions stick to the stated goal: identify beans, generate/tweak JSON profiles, optionally fetch community profiles from Discord, and push profiles to a local GaggiMate device over WebSocket. The instructions do reference reading a token file (~/.config/gaggimate/discord-token) and environment variables (GAGGIMATE_HOST, DISCORD_TOKEN) which are relevant to Discord and host override; they do not instruct broad system data collection or exfiltration beyond those endpoints.
Install Mechanism
No risky remote install steps are included. This is an instruction + source bundle; dependencies are standard Python packages (websockets, aiohttp) mentioned in pyproject/README. No arbitrary URL downloads or archive extraction steps are present.
Credentials
The skill does not request high-privilege secrets, but it does read/expect a Discord token (via DISCORD_TOKEN env or ~/.config/gaggimate/discord-token) to fetch community profiles; this is proportional to the community-search feature. However, the registry metadata did not declare these env vars/paths as requirements — the omission reduces transparency and is worth noting. The GAGGIMATE_HOST override is also documented but not declared in metadata.
Persistence & Privilege
always:false and no installation hooks that change other skills or system-wide agent settings. The skill can be invoked normally by the agent; it does not request persistent elevated privileges.
Assessment
This skill appears to do what it says: generate and push espresso profiles to a local GaggiMate device and optionally search/download community profiles from Discord. Before installing, review the included scripts yourself (or run them in an isolated environment) because:
- The Discord fetcher expects a token (DISCORD_TOKEN or ~/.config/gaggimate/discord-token). Storing tokens in plain files or providing a full user token has security/privacy implications — prefer a least-privilege approach and understand what account the token belongs to.
- The push operation connects to ws://gaggimate.local (or GAGGIMATE_HOST you set) on your local network and will save/select profiles on the target device; ensure that host is the intended machine and on a trusted LAN.
- The registry metadata omits the optional environment variables the code expects; double-check and set the env vars intentionally rather than assuming defaults.
If you are comfortable with these behaviors (local network access + optional Discord integration), the package is coherent with its purpose. If you do not want it to access Discord or your LAN device, do not provide DISCORD_TOKEN or the host override, and avoid running the push command.Like a lobster shell, security has layers — review code before you run it.
latestvk979mx2148ckeadazy7kavn4d183thnx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
☕ Clawdis
Binspython3