← Back to Skills Marketplace
Taste
by
Indigo Karasu
· GitHub ↗
· v3.0.1
· MIT-0
100
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ocas-taste
Description
Generates personalized recommendations from real consumption data by scanning email/calendar, enriching venues, and explaining suggestions with prior behavior.
Usage Guidance
Before installing or enabling this skill, get answers and make changes to reduce risk: 1) Ask the author/platform how email/calendar access is granted and scoped (what OAuth scopes, consent screens, and tokens are used?) and insist credentials are explicit and limited. 2) Confirm how Google Maps enrichment is performed (official API with an API key vs. scraping public pages) and where any API keys would be stored. 3) Ask whether the skill will automatically register a cron job or auto-update itself; if so, require explicit user approval for updates and a way to disable cron/self-updates. 4) Understand where extracted data is stored, retention policy, encryption at rest, and how to delete data. 5) If you cannot verify these behaviors, consider running in a restricted sandbox or deny email/calendar access and use manual signal ingestion instead. 6) Prefer skills that declare required credentials and install steps explicitly; lack of declared credentials for email/calendar/Google Maps is a red flag. If the platform provides built-in connectors for email/calendar/maps, confirm that the skill will use those connectors without requiring additional long-lived secrets.
Capability Analysis
Type: OpenClaw Skill
Name: ocas-taste
Version: 3.0.1
The skill implements a high-risk self-update mechanism in SKILL.md (the `taste.update` command) that downloads and overwrites its own files from a remote GitHub repository using shell commands, creating a significant path for remote code execution (RCE) if the source is compromised. Additionally, the skill is designed to scan the user's private email and calendar for sensitive transactional data from various services (Amazon, DoorDash, hotel bookings), as detailed in references/email_extraction.md. While these behaviors are documented and aligned with the stated goal of personalized recommendations, the combination of broad sensitive data access and an unverified remote update path presents a substantial security risk.
Capability Assessment
Purpose & Capability
The skill legitimately needs access to the user's email, Google Calendar, and Google Maps/web search to deliver its stated functionality. However the registry metadata lists no required credentials or config paths. skill.json does declare read/write to ~/openclaw/data/ocas-taste and journals (which matches persisting extracted signals), but it does not declare how email/calendar or Google Maps access will be supplied (OAuth tokens, API key, or platform connectors). This mismatch between required sensitive resources and declared requirements is concerning.
Instruction Scope
SKILL.md and the references explicitly instruct the agent to read full email bodies and Google Calendar events, extract structured personal consumption data, enrich items via Google Maps and web search, persist JSONL records, and write journals. Those actions are within the described purpose, but the instructions also include 'Always use the user's email account, never the agent's account' and LLM-based extraction of email content — both require explicit, sensitive access. The skill also claims to register a cron job and perform automatic self-updates (README / setup), which expands scope to persistent system-level behavior not reflected in the registry metadata. No explicit limits or opt-outs are documented for scanning (e.g., allowlist editing, disabling auto-scan).
Install Mechanism
There is no install spec in the registry (instruction-only), which is lower risk; however SKILL.md and README include an 'install' line and describe registering a daily cron job and a self-update command that pulls from a GitHub repo. Those behaviors imply writing to system cron and fetching code from the network, but there's no declared install mechanism or explanation of how/when updates run or are authorized. Automatic self-updates and cron registration are high-impact operations and should be explicit in the install spec and permissions model.
Credentials
The skill will access highly sensitive personal data (full email bodies, calendar events) and external enrichment services (Google Maps / web search). Yet requires.env and primary credential are empty in the registry. There is no documented requirement for OAuth tokens, Google API keys, or other credentials; no mention of how credentials are obtained, stored, or scoped. This is disproportionate: reading email/calendar and calling Google Maps normally requires explicit credentialing and consent, which are not surfaced here.
Persistence & Privilege
The skill writes persistent data to ~/openclaw/data/ocas-taste/ and ~/openclaw/journals/ocas-taste/ (skill.json). README and SKILL.md state that taste.init registers a midnight cron job for automatic self-updates and that `taste.update` pulls from GitHub. While always:false and no cross-skill config modifications are declared, the implied automatic updater and cron registration grant the skill ongoing presence and the ability to fetch code, which increases risk if not managed and disclosed.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ocas-taste - After installation, invoke the skill by name or use
/ocas-taste - Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.0.1
ocas-taste v3.0.1 Changelog
- Improved skill documentation with comprehensive workflows for scanning, enrichment, ingestion, and recommendations.
- Added clearer responsibility boundaries and when-to-use/do-not-use scenarios.
- Outlined operating invariants to ensure recommendations are evidence-based, safe, and privacy-preserving.
- Described default configuration and persistent storage layout.
- Included specific command references for all primary features.
Metadata
Frequently Asked Questions
What is Taste?
Generates personalized recommendations from real consumption data by scanning email/calendar, enriching venues, and explaining suggestions with prior behavior. It is an AI Agent Skill for Claude Code / OpenClaw, with 100 downloads so far.
How do I install Taste?
Run "/install ocas-taste" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Taste free?
Yes, Taste is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Taste support?
Taste is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Taste?
It is built and maintained by Indigo Karasu (@indigokarasu); the current version is v3.0.1.
More Skills