← 返回 Skills 市场
895
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mealie
功能描述
Interact with a self‑hosted Mealie instance (recipe manager & meal planner) via its REST API. Use for adding, updating, retrieving recipes, meal plans and generating shopping lists. Trigger when the user mentions their Mealie URL, wants to import a recipe, create a meal plan or fetch a shopping list.
安全使用建议
Do not install or run this skill without first verifying and correcting the inconsistencies. Specifically:
- Confirm the package actually includes scripts/mealie.sh (it is referenced in SKILL.md but not present in the file manifest). If it is missing, ask the author or reject the package.
- Expect to provide MEALIE_URL and a sensitive MEALIE_TOKEN; the registry metadata should declare these — treat the token like a password, use a token with minimal scope, and rotate it regularly.
- Ensure curl and jq are available on the system before use. Inspect any script contents before making them executable; do not run unknown shell scripts blindly.
- Verify that the MEALIE_URL points to your intended self-hosted instance (to avoid sending tokens/data to an attacker-controlled host).
- If you plan to let the agent invoke this autonomously, consider the blast radius of a leaked token and prefer short-lived tokens or a proxy that enforces limits.
If the maintainer corrects the metadata (declare required env vars and required binaries) and includes the referenced script verbatim in the package, the skill would be coherent and appropriate for its stated purpose.
功能分析
Type: OpenClaw Skill
Name: mealie
Version: 1.0.0
The skill bundle is classified as suspicious due to a significant vulnerability in `scripts/mealie.sh` (as described in `SKILL.md`). The `add-recipe` and `create-plan` commands use `curl --data @${1}`, which expects a file path. If the OpenClaw agent passes unsanitized user-provided input directly as this file path, it could lead to arbitrary local file reads (e.g., `/etc/passwd`) and exfiltration of their content to the user's configured Mealie instance. This represents a high-risk prompt injection vulnerability against the agent, allowing for potential data leakage, even though the skill itself does not exhibit explicit malicious intent like exfiltrating data to an unauthorized third party.
能力评估
Purpose & Capability
The stated purpose (interacting with a self-hosted Mealie REST API) matches the operations shown in SKILL.md (adding recipes, meal plans, shopping lists). However the skill's registry metadata claims no required environment variables or binaries, while SKILL.md requires MEALIE_URL and MEALIE_TOKEN and uses curl/jq — a mismatch that reduces trust in the package metadata.
Instruction Scope
SKILL.md instructs the agent to run a bundled script (scripts/mealie.sh) that calls the Mealie API using a bearer token from environment variables. The file manifest does not include this script; the instructions also call jq and curl but the skill declares no required binaries. The instructions will transmit user-provided recipe JSON and an API token to whatever MEALIE_URL is set — expected for the feature but important to verify and scope.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in general, but SKILL.md refers to a bundled script and tells the user to chmod it. The package manifest shows only SKILL.md — the claimed bundled script is absent. This inconsistency means an installer or runtime may not actually have the script the instructions expect.
Credentials
The environment variables required by the runtime (MEALIE_URL, MEALIE_TOKEN) are appropriate for this integration, but the registry metadata lists none. The skill will use a bearer API token (sensitive) to make network requests; requiring a token is proportionate, but the missing declaration in metadata and the lack of declared required binaries (curl, jq) are coherence issues the user should correct/verify before use.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false) and doesn't claim to modify other skills or system-wide settings. Still, the instructions suggest creating/executing a script if it existed; verify any added files before running.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mealie - 安装完成后,直接呼叫该 Skill 的名称或使用
/mealie触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the Mealie skill for interacting with a self‑hosted Mealie instance via its REST API.
- Provides a Bash helper script (`scripts/mealie.sh`) for common operations: adding and retrieving recipes, creating meal plans, and fetching shopping lists.
- Usage requires setting environment variables `MEALIE_URL` and `MEALIE_TOKEN`.
- Designed for use in chat to automate recipe management and meal planning tasks.
- Easily extensible to support additional Mealie API endpoints via the helper script.
元数据
常见问题
Mealie API skill 是什么?
Interact with a self‑hosted Mealie instance (recipe manager & meal planner) via its REST API. Use for adding, updating, retrieving recipes, meal plans and generating shopping lists. Trigger when the user mentions their Mealie URL, wants to import a recipe, create a meal plan or fetch a shopping list. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 895 次。
如何安装 Mealie API skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mealie」即可一键安装,无需额外配置。
Mealie API skill 是免费的吗?
是的,Mealie API skill 完全免费(开源免费),可自由下载、安装和使用。
Mealie API skill 支持哪些平台?
Mealie API skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Mealie API skill?
由 g1mb01d(@g1mb01d)开发并维护,当前版本 v1.0.0。
推荐 Skills