Is plan2meal safe?

https://clawhub.ai/okikeSolutions/plan2meal

78
CAUTION

Plan2Meal is a functional recipe/grocery management skill with clean code, no install hooks, and transparent data routing disclosure. The primary concern is that all user data and OAuth access tokens are forwarded to an external Convex backend, meaning users must trust both the skill author and the backend operator. The skill blocks the shared default backend by default, which is a positive security pattern, but the OAuth token forwarding model creates inherent risk.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

MEDIUM All data routed to external Convex backend -25

Every recipe, grocery list, and search query is sent to an external Convex backend. While the skill discloses this and blocks the shared default backend unless explicitly opted in, users must trust the backend operator with all their data including OAuth access tokens.

MEDIUM OAuth access tokens forwarded to third-party backend -15

GitHub, Google, and Apple OAuth access tokens obtained during login are stored in memory and then sent as Bearer tokens to the Convex backend on every API call. The Convex backend operator could harvest these tokens to access user accounts on those platforms.

LOW Large credential surface area via environment variables -5

The skill requires up to 11 environment variables including OAuth client IDs and secrets for three providers. While these are necessary for OAuth flows, misconfiguration could expose credentials.

LOW Weak OAuth state parameter generation -10

OAuth CSRF protection state parameter is generated using Math.random(), which is not cryptographically secure. This could theoretically allow CSRF attacks against the OAuth flow, though exploitation is difficult in practice.

LOW Shared default backend co-mingles user data -10

The default Convex backend (gallant-bass-875.convex.cloud) is shared infrastructure. While blocked by default, users who opt in with ALLOW_DEFAULT_BACKEND=true share backend resources with all other users of this skill.

INFO SKILL.md is well-scoped with clear routing guardrails 0

The skill defines explicit 'use when' and 'don't use when' conditions, includes a security checklist, and transparently discloses data routing. No prompt injection patterns detected.

INFO Clean package.json with no install hooks 0

No preinstall, postinstall, or other lifecycle scripts that execute during npm install. Only standard build/dev/lint scripts present.

INFO Minimal dependency footprint 0

Single runtime dependency (axios) with only standard dev dependencies (typescript, eslint). No suspicious or obscure packages.

INFO Clean install with no network activity 0

Clone and install produced no network connections, no unexpected processes, and no filesystem changes outside the skill directory.