Safety Report

Paprika

Name: Paprika
Rating: 5 (2 reviews)
Author: mjrussell

Access recipes, meal plans, and grocery lists from Paprika Recipe Manager. Use when user asks about recipes, meal planning, or cooking.

1,696Downloads

4Installs

2Stars

1Versions

Networking & DNS1,102 DevOps & Infrastructure1,045

Security Analysis

high confidence

Clean

The SKILL.md describes a Paprika CLI workflow but the skill metadata does not declare the required CLI binary or the credential environment variables the instructions ask the user to provide — this mismatch and the instruction to install an external npm package warrant caution.

Mar 7, 20261 files4 concerns

Purpose & Capabilityconcern

The skill's stated purpose (access Paprika recipes/meal plans/groceries) matches the instructions, but the metadata does not list the 'paprika' binary or any required env vars even though the runtime instructions rely on a 'paprika' CLI and PAPRIKA_EMAIL / PAPRIKA_PASSWORD. That inconsistency means the declared requirements don't match what the skill actually needs.

Instruction Scopenote

The SKILL.md stays on-topic (commands all relate to Paprika functionality). However it instructs installing and running an external CLI, performing interactive authentication, or exporting plaintext email/password env vars. It does not instruct reading unrelated system files, but it does direct the agent/user to obtain credentials and install software outside the skill bundle.

Install Mechanismnote

There is no install specification in the skill metadata; instead the SKILL.md tells the user to run 'npm install -g paprika-recipe-cli'. Using an npm package is a common approach but the skill should declare this in its install spec and provenance. Because the package will be installed globally, verify the package name, publisher, and source (npm/GitHub) before installing to avoid typosquatting or untrusted code.

Credentialsconcern

The SKILL.md suggests exporting PAPRIKA_EMAIL and PAPRIKA_PASSWORD or running interactive 'paprika auth', but the registry metadata lists no required env vars or primary credential. Requesting a user's email and plaintext password is sensitive and should be declared and justified. The skill also doesn't explain how credentials are stored or protected after authentication.

Persistence & Privilegeok

The skill does not request always:true and is user-invocable; it does not ask to modify other skills or system-wide settings. No elevated persistence is requested by the metadata.

Guidance

This skill's instructions require installing an external npm package ('paprika-recipe-cli') and providing Paprika credentials, but the skill metadata doesn't declare the required binary or env vars — that's an inconsistency you should address before installing. Before proceeding: 1) Verify the npm package and its publisher on npmjs.com and GitHub to ensure it's legitimate (watch for typosquatting). 2) Prefer using the CLI's interactive auth rather than exporting plaintext password environment variables; if you must use env vars, understand where/if credentials are stored and how secure that storage is. 3) Ask the skill author to update the skill metadata to declare required binaries (paprika) and any required env vars and to provide an install spec with provenance. 4) If you don't trust the package owner, do not install the global npm package or provide your Paprika credentials. If you need help verifying the npm package or inspecting what the 'paprika' CLI does, gather the package link (npm or GitHub) and request a security review.

Latest Release

v0.1.0

Initial release

More by @mjrussell

Todoist

39 stars

Resend

2 stars

Anylist

1 stars

Fitbit

1 stars

Hevy

0 stars

Trimet

0 stars

Published by @mjrussell on ClawHub