Bring Rezepte
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Bring! recipe and shopping-list purpose, but one authenticated content-fetch path appears insufficiently bounded and should be reviewed before use.
Use this skill only if you are comfortable giving it Bring! account access. Prefer environment variables for credentials, confirm every list change, avoid arbitrary --content-url values, and only set BRING_NODE_API_PATH to trusted code.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can log in to the user’s Bring! account and access or change shopping-list data during use.
The skill requires Bring! account credentials. This is expected for accessing and updating a Bring! list, but account passwords are sensitive and command-line password arguments can be more exposed than environment variables.
- name: BRING_EMAIL ... required: true - name: BRING_PASSWORD ... required: true ... If ENV is not set, pass `--email` and `--password` explicitly.
Prefer environment variables or a secure secret store over command-line password arguments, and use an account/password you are comfortable granting to the skill.
A malicious or mistaken content URL could receive Bring! authentication headers, potentially allowing access to the user’s shopping-list account until the token expires.
This helper sends the provided headers to whatever URL is supplied. The skill’s documented content flow uses authenticated Bring! headers, so a missing host allowlist could expose Bring! session headers if a bad content URL is passed.
async function fetchContent(url, headers) {
const resp = await fetch(url, { headers });Validate that content URLs are under the expected Bring! API host before attaching Authorization or other Bring! headers, and strip auth headers for any non-Bring URL.
Approved actions can add items or create lists in the user’s Bring! account.
The skill can mutate a shopping list, but the instructions clearly require explicit user confirmation before adding ingredients.
**WICHTIG: Immer explizit nach Bestätigung fragen, bevor Artikel zur Liste hinzugefügt werden!** ... Nur bei expliziter Bestätigung: Add their ingredients
Before approving, check the selected recipe, ingredient list, and target Bring! list.
If BRING_NODE_API_PATH points to untrusted code, that code would run with the user’s local permissions and access to the provided Bring! credentials.
The script can load a Bring API implementation from a user-specified local path before falling back to the package dependency. This is disclosed, but any required local module executes as Node.js code.
const envPath = process.env.BRING_NODE_API_PATH;
if (envPath) {
return require(envPath);
}
...
return require("bring-shopping");Set BRING_NODE_API_PATH only to a trusted, reviewed local file, or leave it unset to use the packaged dependency.