Manage Thermomix/Cookidoo meal planning via tmx-cli. Use for recipe search, weekly meal plan management, shopping list generation, favorites, and recipe details. Trigger when the user mentions Cookidoo, Thermomix, Wochenplan, meal plan, Rezept, recipe, or Einkaufsliste for cooking.
Security Analysis
medium confidenceThe skill mostly does what it says (a Cookidoo CLI) but its documentation/code disagree about how credentials are handled and it writes session/credential files to disk without declaring required secrets — this mismatch is worth caution.
Name, description, README, SKILL.md and the bundled Python CLI are consistent: the code implements searching, plan/shopping management, favorites, and uses Cookidoo/Algolia endpoints. There are no unrelated cloud services or surprising binaries required.
SKILL.md instructs the agent to run the bundled tmx_cli.py and to log in (OAuth or credentials). The implementation reads/writes local files (cookies, search token, category cache, config) and performs network calls to cookidoo.de and Algolia — expected for this purpose — but some documentation (references/commands.md) explicitly mentions storing credentials in secrets/cookidoo.env (COOKIDOO_EMAIL, COOKIDOO_PASSWORD) even though the skill metadata declares no required env vars. The instructions give the agent discretion to run login flows and persist session tokens, which increases the sensitivity of what the skill will access.
This is an instruction-only skill bundled with the tmx_cli.py source; there is no install script that downloads arbitrary code. README shows optional GitHub installs (uvx/pipx) but the registry package contains the Python file itself. No high-risk download-from-URL installs are present in the bundle.
Skill metadata declares no required environment variables, yet docs/code indicate the CLI can accept/store Cookidoo credentials and session tokens (cookies, cookidoo_search_token.json) and the commands reference storing COOKIDOO_EMAIL/COOKIDOO_PASSWORD in secrets/cookidoo.env. The skill writes to ~/.tmx_config.json and to files under the script directory. Requesting/saving user credentials and session cookies is proportionate to login-based functionality, but the omission of any declared secret requirements in the metadata and the presence of multiple storage locations is an inconsistency that should be clarified before use.
The skill does not request always:true and does not modify other skills. It will persist session and config files (in the skill directory and in the user's home directory), which is expected for a CLI that maintains login state, but users should be aware these files contain credentials/tokens and live on disk.
Guidance
This skill appears to implement a legitimate Cookidoo CLI, but there are inconsistencies you should resolve before installing: 1) The registry metadata declares no required secrets, yet the docs and code accept and store Cookidoo credentials and session cookies (files under the skill directory and ~/.tmx_config.json). Confirm whether the skill will ask for your raw password or use an OAuth browser flow, and prefer OAuth if available. 2) If you provide credentials, expect them (or session tokens) to be written to disk; treat those files as sensitive. 3) If you plan to install from the GitHub repo referenced in the README, review that repository (commit history, issues, maintainer) to ensure you trust the source. 4) If you want to limit risk, run the tool in an isolated environment (container or dedicated account) or avoid supplying your Cookidoo password and use OAuth-only login. Finally, ask the maintainer to update the skill metadata to declare any required env vars or credential storage paths so the security posture is clear.
Latest Release
v0.1.0
Initial release, introducing tmx-cli Cookidoo/Thermomix integration. - Search and view recipe details with extensive filters. - Manage the weekly meal plan: show, sync, add, remove, and move recipes. - Generate and maintain shopping lists from recipes or meal plans. - Support for marking and unmarking favorite recipes. - Bundled pure-Python CLI; requires Python 3.9+ with no external dependencies. - Configuration for device model, dietary preferences, and maximum cooking time.
More by @Lars147
Published by @Lars147 on ClawHub
