← Back to Skills Marketplace
895
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install mealie
Description
Interact with a self‑hosted Mealie instance (recipe manager & meal planner) via its REST API. Use for adding, updating, retrieving recipes, meal plans and generating shopping lists. Trigger when the user mentions their Mealie URL, wants to import a recipe, create a meal plan or fetch a shopping list.
Usage Guidance
Do not install or run this skill without first verifying and correcting the inconsistencies. Specifically:
- Confirm the package actually includes scripts/mealie.sh (it is referenced in SKILL.md but not present in the file manifest). If it is missing, ask the author or reject the package.
- Expect to provide MEALIE_URL and a sensitive MEALIE_TOKEN; the registry metadata should declare these — treat the token like a password, use a token with minimal scope, and rotate it regularly.
- Ensure curl and jq are available on the system before use. Inspect any script contents before making them executable; do not run unknown shell scripts blindly.
- Verify that the MEALIE_URL points to your intended self-hosted instance (to avoid sending tokens/data to an attacker-controlled host).
- If you plan to let the agent invoke this autonomously, consider the blast radius of a leaked token and prefer short-lived tokens or a proxy that enforces limits.
If the maintainer corrects the metadata (declare required env vars and required binaries) and includes the referenced script verbatim in the package, the skill would be coherent and appropriate for its stated purpose.
Capability Analysis
Type: OpenClaw Skill
Name: mealie
Version: 1.0.0
The skill bundle is classified as suspicious due to a significant vulnerability in `scripts/mealie.sh` (as described in `SKILL.md`). The `add-recipe` and `create-plan` commands use `curl --data @${1}`, which expects a file path. If the OpenClaw agent passes unsanitized user-provided input directly as this file path, it could lead to arbitrary local file reads (e.g., `/etc/passwd`) and exfiltration of their content to the user's configured Mealie instance. This represents a high-risk prompt injection vulnerability against the agent, allowing for potential data leakage, even though the skill itself does not exhibit explicit malicious intent like exfiltrating data to an unauthorized third party.
Capability Assessment
Purpose & Capability
The stated purpose (interacting with a self-hosted Mealie REST API) matches the operations shown in SKILL.md (adding recipes, meal plans, shopping lists). However the skill's registry metadata claims no required environment variables or binaries, while SKILL.md requires MEALIE_URL and MEALIE_TOKEN and uses curl/jq — a mismatch that reduces trust in the package metadata.
Instruction Scope
SKILL.md instructs the agent to run a bundled script (scripts/mealie.sh) that calls the Mealie API using a bearer token from environment variables. The file manifest does not include this script; the instructions also call jq and curl but the skill declares no required binaries. The instructions will transmit user-provided recipe JSON and an API token to whatever MEALIE_URL is set — expected for the feature but important to verify and scope.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in general, but SKILL.md refers to a bundled script and tells the user to chmod it. The package manifest shows only SKILL.md — the claimed bundled script is absent. This inconsistency means an installer or runtime may not actually have the script the instructions expect.
Credentials
The environment variables required by the runtime (MEALIE_URL, MEALIE_TOKEN) are appropriate for this integration, but the registry metadata lists none. The skill will use a bearer API token (sensitive) to make network requests; requiring a token is proportionate, but the missing declaration in metadata and the lack of declared required binaries (curl, jq) are coherence issues the user should correct/verify before use.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false) and doesn't claim to modify other skills or system-wide settings. Still, the instructions suggest creating/executing a script if it existed; verify any added files before running.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mealie - After installation, invoke the skill by name or use
/mealie - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the Mealie skill for interacting with a self‑hosted Mealie instance via its REST API.
- Provides a Bash helper script (`scripts/mealie.sh`) for common operations: adding and retrieving recipes, creating meal plans, and fetching shopping lists.
- Usage requires setting environment variables `MEALIE_URL` and `MEALIE_TOKEN`.
- Designed for use in chat to automate recipe management and meal planning tasks.
- Easily extensible to support additional Mealie API endpoints via the helper script.
Metadata
Frequently Asked Questions
What is Mealie API skill?
Interact with a self‑hosted Mealie instance (recipe manager & meal planner) via its REST API. Use for adding, updating, retrieving recipes, meal plans and generating shopping lists. Trigger when the user mentions their Mealie URL, wants to import a recipe, create a meal plan or fetch a shopping list. It is an AI Agent Skill for Claude Code / OpenClaw, with 895 downloads so far.
How do I install Mealie API skill?
Run "/install mealie" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Mealie API skill free?
Yes, Mealie API skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Mealie API skill support?
Mealie API skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Mealie API skill?
It is built and maintained by g1mb01d (@g1mb01d); the current version is v1.0.0.
More Skills