Is harshasic/recipe-finder safe?

https://github.com/openclaw/skills/tree/main/skills/harshasic/recipe-finder

97
SAFE

The harshasic/recipe-finder skill is a clean, minimal recipe lookup tool that queries the legitimate TheMealDB public API via web_fetch and presents results. The SKILL.md contains no prompt injection, no instructions to access sensitive files, no executable code, no git hooks, no submodules, and no suspicious network endpoints. All monitoring anomalies — canary file reads and external network connections — trace conclusively to the oathe audit framework's own baseline checks and standard Ubuntu system services, not to the skill or its install process. The skill is safe to install.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 92/100 · 5%

Findings (4)

INFO Canary file reads attributable to audit framework, not skill -5

Filesystem monitoring captured two clusters of read-only accesses to canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json). Timing analysis places the first cluster at auditd timestamp 1771934907.939 — before the git clone at 1771934913.458 — and the second at 1771934931.350 — after the audit scan completed. All accesses are CLOSE_NOWRITE (read-only). The canary integrity monitor confirms all files are intact. These reads are consistent with the oathe audit framework hashing canary files at start and end for integrity comparison.

INFO User recipe queries transmitted to third-party TheMealDB API -5

The skill instructs the agent to pass user-supplied ingredient names, cuisine types, and dietary restrictions as query parameters to TheMealDB API endpoints. TheMealDB is a well-known public service, but users should understand their food preference queries leave the local environment. No sensitive system data is transmitted.

INFO Hardcoded external API URLs — legitimate and scoped -3

The skill hardcodes four TheMealDB API URL templates. This is appropriate and expected for an API-backed skill. The URLs are static except for user-provided query values and do not reference attacker-controlled infrastructure. No obfuscation or encoding of URLs detected.

INFO Theoretical prompt injection via compromised TheMealDB API response -8

The skill instructs the agent to render recipe names, categories, ingredients, and brief instructions from API responses directly into output. If TheMealDB were ever to serve adversarially crafted content, that content would appear in the agent's context window and could attempt downstream instruction injection. This is a low-probability, standard risk for any skill that fetches and displays external content, not a defect specific to this skill.