Back to skill

Security audit

Swiggy_T1

Security checks across malware telemetry and agentic risk

Overview

This Swiggy skill is a disclosed food, grocery, and booking integration with explicit confirmation rules before real orders or bookings.

Install only if you are comfortable authenticating with Swiggy and sending searches, location/address, cart, order, and booking details to Swiggy-operated services. Before approving any COD order, verify the items, total, delivery address, time, and the no-cancellation limitation; also confirm the missing CLI implementation is supplied by the installer or trusted source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README states that the skill connects to Swiggy HTTP MCP servers and triggers OAuth, but it does not clearly disclose that user data such as account identity, delivery address/location, search queries, cart contents, and booking/order details will be transmitted to Swiggy-operated services. This is primarily a transparency and privacy-notice issue rather than an exploit primitive, but users may unknowingly expose sensitive personal or behavioral data when using the skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger examples are very broad everyday phrases like 'Order biryani' and 'Get eggs and milk', which can cause the skill to be invoked in contexts where the user did not explicitly intend to use Swiggy. Because this skill can ultimately place real COD orders and bookings, accidental invocation increases the risk of unintended commerce actions even though the document also includes confirmation steps.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest advertises ordering, grocery, and restaurant-booking features and defines three external HTTP MCP endpoints, but it does not clearly disclose that user prompts, addresses, order details, or booking data may be transmitted to third-party services. In a commerce skill, this omission can lead to users unknowingly sharing sensitive personal and transactional data with external systems, increasing privacy and consent risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {},
  "peerDependencies": {
    "clawdbot": "*"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
91% confidence
Finding
"clawdbot": "*"

Known Vulnerable Dependency: clawdbot — 10 advisory(ies): CVE-2026-26317 (OpenClaw affected by cross-site request forgery (CSRF) through loopback browser ); GHSA-chm2-m3w2-wcxm (OpenClaw Google Chat spoofing access with allowlist authorized mutable email pri); CVE-2026-26328 (OpenClaw iMessage group allowlist authorization inherited DM pairing-store ident) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
clawdbot

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.