Kroger Grocery

The skill bundle is classified as **benign**. The `_meta.json`, `SKILL.md`, and `references/setup.md` files describe a legitimate integration with the Kroger API using the `kroget` CLI tool. The `SKILL.md` provides clear instructions for the AI agent, including explicit "Important Safety Rules" such as "Never attempt checkout" and "The API can add to cart but cannot read cart contents or place orders," which actively mitigate potential misuse. While the `references/setup.md` includes `curl` commands that expose `CLIENT_ID:CLIENT_SECRET` for manual OAuth setup, this is part of a user-facing guide and not intended for the agent to execute with live credentials; the agent is instructed to use `kroget auth login` for secure authorization. There is no evidence of intentional data exfiltration, unauthorized command execution, persistence mechanisms, or prompt injection attempts designed to subvert the agent's purpose. All described actions and network calls are directly related to the stated goal of grocery ordering via the Kroger API.