Bring! Shopping List App (Unofficial)
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act as the configured Bring! account for the lists that account can access.
The script logs into Bring! using email/password environment variables. This is expected for the stated integration, but it is account-level credential use.
const mail = process.env.BRING_EMAIL; const password = process.env.BRING_PASSWORD; ... await bring.login();
Store the credentials only in a trusted environment/config location, avoid sharing them, and rotate the password if you stop trusting the installation.
Mistaken or overly broad use could change the wrong shopping list item or list.
The CLI can add, remove, and check items in a Bring! list. These mutations are exactly what the skill advertises, but they change third-party account data.
await bring.saveItem(list.listUuid, item, spec); ... await bring.removeItem(list.listUuid, item); ... await bring.moveToRecentList(list.listUuid, item);
Specify the target list when making changes and review add/remove/check/uncheck requests before allowing the agent to run them.
The installed npm package version will determine the actual Bring! API behavior used by the skill.
The skill depends on an external npm package installed by name without a pinned version in the provided artifacts. This is expected for the integration but gives the package supply chain importance.
Install dependency in the skill folder: - `npm install bring-shopping`
Install from a trusted npm registry, consider pinning a known version, and review the dependency before using real account credentials.