Back to skill

Security audit

Kroger Grocery

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Kroger cart assistant with expected credential and cart-access risks, but no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable giving kroget access to your Kroger cart. Use pipx if possible, protect ~/.kroget/config.json and ~/.kroget/tokens.json, avoid pasting secrets into shared terminals, confirm item choices before cart changes, and review the cart in Kroger before checkout.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description uses broad trigger language such as general grocery ordering, cart addition, meal planning, staples lists, and local price/availability checks without clear gating conditions or exclusions. This can cause the agent to invoke the skill in ambiguous situations and perform state-changing shopping actions, including adding items to a user's cart, when the user's intent or store context has not been sufficiently verified.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup guide includes a test command that performs a real cart modification (`kroget cart add ... --apply --yes`) without a prominent warning immediately before it that it changes the user's live Kroger cart. In this skill context, modifying a retail cart is the core function, but using an auto-confirming command in setup/testing can still cause unintended actions, confusion, or accidental purchases later if users proceed to checkout.

External Transmission

Medium
Category
Data Exfiltration
Content
**Headless/remote setup:** If the browser can't open (e.g., SSH session), kroget will print the authorization URL. Open it on any device, sign in, and when it redirects to `localhost:8400/callback?code=XXXX`, copy the full redirect URL. Then manually exchange the code:

```bash
curl -s -X POST 'https://api.kroger.com/v1/connect/oauth2/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -u 'CLIENT_ID:CLIENT_SECRET' \
  -d 'grant_type=authorization_code&code=AUTH_CODE&redirect_uri=http://localhost:8400/callback'
Confidence
74% confidence
Finding
https://api.kroger.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal