Back to skill
Skillv1.0.0
ClawScan security
Bring! Shopping Lists · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:59 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a Bring! shopping-list CLI: it needs your Bring email/password, uses the bring-shopping npm package, and stores config under ~/.openclaw/bring — nothing appears to be doing unrelated or hidden actions.
- Guidance
- This skill appears to do what it claims, but review and accept these trade-offs before installing: (1) it requires installing the third-party npm package `bring-shopping` globally — audit that package/repo and prefer installing with a pinned version; (2) it stores your Bring email and password in plaintext at ~/.openclaw/bring/config.json, which grants persistent access to your Bring account — consider whether you want to provide those credentials and whether the Bring API supports token-based auth instead; (3) global npm installs run code during install and can modify your environment — install in a controlled environment or inspect the package first. If you don't trust the bring-shopping package or the skill author, do not install or run the CLI.
Review Dimensions
- Purpose & Capability
- okName/description match the included CLI wrapper and API reference. The skill requires authentication and interacting with Bring list APIs, which explains the email/password and the bring-shopping npm dependency.
- Instruction Scope
- noteRuntime instructions are scoped to Bring operations (list, add, remove, detect language). They explicitly instruct installing the bring-shopping npm package and running a local CLI wrapper. They also instruct storing email/password in ~/.openclaw/bring/config.json (plaintext), which is functionally required but a security/privacy consideration.
- Install Mechanism
- noteThere is no registry install spec; SKILL.md instructs users to run `npm install -g bring-shopping`. Using an npm package is expected for this purpose but carries typical third-party-package risk (supply-chain risk, arbitrary code during install). The packaged script references that dependency; this is coherent but worth reviewing the bring-shopping project before installing globally.
- Credentials
- noteThe skill requests no environment variables and does not require unrelated credentials. It does require and persist the user's Bring email/password in a config file — proportional to functionality but it means the skill will have long-term access to the user's Bring account if the file is present.
- Persistence & Privilege
- okThe skill does write its own config under the user's home directory (~/.openclaw/bring) but does not request always:true, system-wide changes, or other skills' configs. This level of persistence is expected for a CLI that stores credentials and a default list.