Trust Assessment
cookidoo received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Reliance on Unofficial Third-Party API, Sensitive Credentials Processed by Unofficial Library, Documentation Suggests Writing Data to `/tmp`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Reliance on Unofficial Third-Party API The skill explicitly relies on `miaucl/cookidoo-api`, an unofficial Python package for interacting with the Cookidoo service. Unofficial APIs may lack security audits, proper maintenance, or could be intentionally malicious, leading to potential data breaches, credential harvesting, or service disruptions. This risk is heightened as the library handles user credentials (email and password). Investigate if an official Cookidoo API or SDK is available. If not, thoroughly audit the `cookidoo-api` library for security vulnerabilities, maintainability, and malicious code. Consider forking and maintaining a trusted version if necessary. Implement robust error handling and monitoring for API changes. | LLM | SKILL.md:40 | |
| MEDIUM | Sensitive Credentials Processed by Unofficial Library The `scripts/cookidoo_cli.py` script retrieves `COOKIDOO_EMAIL` and `COOKIDOO_PASSWORD` from environment variables or a local configuration file. These sensitive credentials are then passed directly to the `cookidoo_api` library for authentication. Given that `cookidoo_api` is an unofficial third-party library, there's an elevated risk that it could be compromised or designed to harvest these credentials, even if the current implementation appears benign. As part of addressing the supply chain risk, a thorough security audit of the `cookidoo-api` library is crucial to ensure it handles credentials securely and does not exfiltrate them. If possible, use API tokens or OAuth instead of direct username/password. | LLM | scripts/cookidoo_cli.py:40 | |
| LOW | Documentation Suggests Writing Data to `/tmp` The `SKILL.md` documentation suggests redirecting the output of `cookidoo_cli.py ingredients --json` to a temporary file in `/tmp/ingredients.json`. While the script itself outputs to stdout, this documented pattern encourages writing potentially sensitive user data (even if just ingredient lists) to a world-writable temporary directory. If not handled carefully (e.g., immediate deletion, strict permissions), this could allow other processes or users on a multi-user system to access the data. Advise users to be cautious when writing data to `/tmp`. Recommend using more secure temporary file creation methods (e.g., Python's `tempfile` module with `NamedTemporaryFile` for atomic creation and automatic cleanup) if the skill were to write files directly. For user-initiated redirects, emphasize the importance of deleting temporary files promptly and setting appropriate file permissions. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/33d32259c650d4b9)
Powered by SkillShield