Security audit

Kroger Grocery

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Kroger cart assistant with expected credential and cart-access risks, but no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable giving kroget access to your Kroger cart. Use pipx if possible, protect ~/.kroget/config.json and ~/.kroget/tokens.json, avoid pasting secrets into shared terminals, confirm item choices before cart changes, and review the cart in Kroger before checkout.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description uses broad trigger language such as general grocery ordering, cart addition, meal planning, staples lists, and local price/availability checks without clear gating conditions or exclusions. This can cause the agent to invoke the skill in ambiguous situations and perform state-changing shopping actions, including adding items to a user's cart, when the user's intent or store context has not been sufficiently verified.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup guide includes a test command that performs a real cart modification (`kroget cart add ... --apply --yes`) without a prominent warning immediately before it that it changes the user's live Kroger cart. In this skill context, modifying a retail cart is the core function, but using an auto-confirming command in setup/testing can still cause unintended actions, confusion, or accidental purchases later if users proceed to checkout.

External Transmission

Medium

Category: Data Exfiltration
Content: **Headless/remote setup:** If the browser can't open (e.g., SSH session), kroget will print the authorization URL. Open it on any device, sign in, and when it redirects to `localhost:8400/callback?code=XXXX`, copy the full redirect URL. Then manually exchange the code: ```bash curl -s -X POST 'https://api.kroger.com/v1/connect/oauth2/token' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -u 'CLIENT_ID:CLIENT_SECRET' \ -d 'grant_type=authorization_code&code=AUTH_CODE&redirect_uri=http://localhost:8400/callback'
Confidence: 74% confidence
Finding: https://api.kroger.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal