← 返回 Skills 市场
Hellofresh
作者
Guillaume Maka
· GitHub ↗
· v1.0.0
· MIT-0
96
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install hellofresh
功能描述
Manage your HelloFresh subscription, find and convert recipes to audio, track shipments, and receive delivery notifications via Telegram.
使用说明 (SKILL.md)
HelloFresh Assistant
Description: Interact with your HelloFresh account — discover recipes, manage selections, convert instructions to audio, and get shipment alerts.
Commands:
/hello-fresh setup— First-time setup (collects subscription info)/hello-fresh status— Show subscription status/hello-fresh discover [week]— Find recipes (this/next/last/2026-W11)/hello-fresh history— Past deliveries/hello-fresh recommend— AI recommendations/hello-fresh convert \x3Crecipe>— Text-to-speech cooking instructions/hello-fresh track— Delivery tracking/hello-fresh notify— Notification settings & check shipment/hello-fresh notify check— Manually check current shipment status/hello-fresh notify enable— Enable shipment alerts/hello-fresh notify disable— Disable shipment alerts/hello-fresh reset— Clear session
Requires: browser, tts
Storage: ~/.openclaw/hellofresh/session.json
Browser: Uses profile="chrome" (Chrome Extension Relay) or Kernel.sh cloud
Shipment Alerts:
- Automatically detects when your box status changes (e.g., "Shipping soon" → "Out for delivery")
- Sends notifications via Telegram when enabled
- Tracks status history for change detection
安全使用建议
Before installing, consider these points:
- The skill will read and store sensitive HelloFresh data (addresses, subscription IDs, payment info, tracking links) under ~/.openclaw/hellofresh — review the code if you are uncomfortable with local storage of this data.
- Cloud mode (USE_KERNEL=true) requires a KERNEL_API_KEY; the registry omitted this env var but the code uses it. Cloud mode creates remote browser sessions on kernel.sh that will see your HelloFresh pages — only use it if you trust that service.
- Notification features mention Telegram/Discord but the skill does not declare how to supply bot tokens or chat IDs. Verify how notifications are configured and where messages will be sent before enabling notifications.
- IMPLEMENTATION_NOTES discusses a Gmail Pub/Sub approach (requiring Gmail API/OAuth). That would require granting email access; although not implemented now, it shows the codebase may expand toward accessing email. Be cautious about granting additional credentials.
- If you want to proceed: run the skill in local mode (USE_KERNEL=false) so it uses your local browser context rather than a remote kernel. Inspect handler.ts fully (especially the parts that send notifications or make network calls) and confirm what external endpoints receive your data. Prefer providing explicit environment variables for notification channels and audit those message sinks.
If you cannot review the code, treat the skill as higher-risk and avoid enabling cloud mode or any notification automation that might transmit sensitive information.
功能分析
Type: OpenClaw Skill
Name: hellofresh
Version: 1.0.0
The skill bundle contains a significant data leak in IMPLEMENTATION_NOTES.md, which includes hardcoded PII such as a specific phone number (+18194482636), subscription IDs, and delivery instructions. Additionally, handler.ts is incomplete and references an undefined function 'checkShipmentAlert', which would cause the agent to fail during notification tasks. While the browser-based automation logic for HelloFresh appears functionally aligned with the description, the inclusion of real-world testing data and incomplete code constitutes a security and stability risk.
能力评估
Purpose & Capability
The skill's name/description (manage HelloFresh, recipes, notifications) aligns with the code that navigates the HelloFresh site and stores subscription/session data. However the registry metadata lists no required environment variables while the code and README clearly expect USE_KERNEL and KERNEL_API_KEY for cloud mode and the SKILL.md/README advertise Telegram/notification features without declaring required Telegram/Discord/Gmail credentials. That mismatch between claimed requirements and actual code is notable.
Instruction Scope
SKILL.md instructs the agent to use a browser (local Chrome or Kernel.sh cloud), store session data at ~/.openclaw/hellofresh/session.json, and send shipment alerts via Telegram. The instructions do not specify how Telegram/Discord credentials are provided, nor do they document the exact data sent in notifications. IMPLEMENTATION_NOTES also describes an alternative Gmail-based approach (requiring Gmail API/OAuth) even though that is not implemented; this indicates potential scope creep toward accessing email. The code will navigate and parse authenticated HelloFresh pages (which can include addresses/payment info) — appropriate for the stated purpose, but the notification and email avenues are underspecified and could lead to sensitive data being read/transmitted.
Install Mechanism
The registry lists no install spec (instruction-only), but the package includes package.json and npm deps (@onkernel/sdk, playwright). The README instructs npm install. That is a typical install mechanism (public npm packages) and not directly high-risk, but the mismatch between 'no install spec' and included Node dependencies should be highlighted because those dependencies (playwright, kernel SDK) enable remote/cloud browser operation and disk I/O.
Credentials
The skill registry declares no required env vars, but the code and README expect USE_KERNEL and KERNEL_API_KEY for cloud mode. The skill also implements notification features (preferredChannel includes 'telegram' and 'discord') yet no TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, DISCORD_WEBHOOK, or Gmail credentials are declared. The skill reads/writes session and recipe cache files under the user's HOME and will store sensitive fields (deliveryAddress, paymentMethod, subscription id, tracking codes). Requiring a cloud API key (kernel) without declaring it in metadata and leaving notification credential handling unspecified is disproportionate and unclear.
Persistence & Privilege
Persistence is limited to user-scoped files under ~/.openclaw/hellofresh (session.json, recipes.json), which is expected for this kind of skill. always is false (not force-included). One important consideration: enabling cloud mode with KERNEL_API_KEY creates remote browser sessions on a third-party service (kernel.sh) that will see whatever pages the skill navigates (including your HelloFresh pages); that increases the blast radius compared with purely local browser operation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install hellofresh - 安装完成后,直接呼叫该 Skill 的名称或使用
/hellofresh触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of HelloFresh Assistant.
- Discover and browse HelloFresh recipes for any week.
- Manage your HelloFresh subscription and track current or past deliveries.
- Get personalized recipe recommendations.
- Convert recipe instructions to text-to-speech audio.
- Receive shipment alerts and notifications via Telegram.
- Easily configure, reset, and manage notification settings.
元数据
常见问题
Hellofresh 是什么?
Manage your HelloFresh subscription, find and convert recipes to audio, track shipments, and receive delivery notifications via Telegram. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 96 次。
如何安装 Hellofresh?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install hellofresh」即可一键安装,无需额外配置。
Hellofresh 是免费的吗?
是的,Hellofresh 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Hellofresh 支持哪些平台?
Hellofresh 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Hellofresh?
由 Guillaume Maka(@guillaumemaka)开发并维护,当前版本 v1.0.0。
推荐 Skills