Bring! Shopping List App (Unofficial)

Security checks across malware telemetry and agentic risk

Overview

This skill appears benign: it does what it says, but it can change a real Bring! shopping list using your Bring! credentials.

Install only if you are comfortable giving the skill Bring! account credentials. Specify the target list for any write action, review add/remove/check/uncheck requests before letting an agent run them, and consider pinning or reviewing the bring-shopping npm dependency before using it with a real account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents commands that add, remove, check, and uncheck items on a remote Bring! shopping list without clearly warning that these actions modify live user data. In an agent setting, this increases the risk of unintended state-changing operations being executed without explicit user confirmation, potentially altering shared household lists or causing confusion and data loss.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This CLI logs into a real Bring! account using BRING_EMAIL and BRING_PASSWORD and then performs state-changing remote actions such as adding, removing, checking, and unchecking items. There is no user-facing warning, confirmation, or dry-run behavior, so an agent or user invoking the tool may trigger authenticated network side effects on a real account without clearly understanding that the command will modify remote data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal