ClawHub

Bring Add

PassAudited by ClawScan on May 10, 2026.

Overview

This looks like a straightforward Bring! shopping-list CLI, but it needs your Bring! credentials and can add items to your shopping lists when invoked.

Install this only if you trust the local npm environment and are comfortable giving it Bring! account credentials. Use --dry-run to preview additions, set BRING_DEFAULT_LIST or --list to avoid the wrong list, and review dependency updates before reinstalling.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

If the agent invokes this skill with real item inputs, items will be added to the selected Bring! shopping list.

Why it was flagged

The code performs the expected account mutation: adding items to a Bring! shopping list. This is purpose-aligned and documented, but users should understand it changes their list unless dry-run is used.

Skill content
await bring.batchUpdateList(listUuid, batchItems);
Recommendation

Use --dry-run for previews and specify --list when you want to avoid adding items to the wrong list.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Anyone or any process with access to those environment variables could potentially use the Bring! account through this CLI.

Why it was flagged

The skill requires Bring! account credentials. This is expected for adding items to a user's Bring! account and is disclosed in the documentation, but the registry metadata does not declare a primary credential.

Skill content
export BRING_EMAIL="your@email.com"
export BRING_PASSWORD="yourpassword"
Recommendation

Provide credentials only in a trusted environment, avoid sharing logs or shells containing the password, and consider rotating the password if it may have been exposed.

NoteMedium Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

A future install could depend on package-lock behavior or package resolution, and an unexpected dependency version could affect how credentials or API calls are handled.

Why it was flagged

The Bring! API library is declared with a wildcard version. A package-lock is present, but the unpinned dependency declaration is still a supply-chain detail users should notice when installing with npm.

Skill content
"dependencies": {
    "bring-shopping": "*",
    "chalk": "^4.1.2",
    "commander": "^11.1.0"
  }
Recommendation

Prefer installing with the included lockfile, review dependency changes before updating, and pin bring-shopping to a specific trusted version.