ClawHub

Hellofresh

Security checks across malware telemetry and agentic risk

Overview

This HelloFresh helper is purpose-aligned, but it handles private account and delivery data that users should treat carefully.

Install only if you are comfortable letting the skill use your logged-in HelloFresh browser session and store subscription details locally. Prefer local mode unless you trust Kernel cloud with the account pages it loads, review any meal-selection changes in the browser before saving them, and do not enable any future Gmail-based tracking feature unless it is clearly opt-in and limited to HelloFresh shipment messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The notes propose adding Gmail monitoring and Pub/Sub access to obtain shipment information, which materially expands the skill's access from HelloFresh account interaction into email surveillance. That creates unnecessary collection of unrelated mailbox data and introduces new secrets, APIs, and automation surfaces that could expose private user communications if implemented or misused.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The proposed email-based approach involves reading Gmail messages, setting up filters, and storing OAuth or app-password credentials without any visible user warning or privacy boundary. Because mailbox contents can contain sensitive personal and financial information beyond shipping notices, this creates a meaningful privacy and credential-handling risk even if the original goal is only package tracking.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises account-changing capabilities, order history access, AI recommendations, notifications, and optional cloud browser support, but it does not warn users that using the skill may expose account data, behavioral history, or session activity to local extensions or remote infrastructure. This creates a real transparency and privacy-risk issue because users may authorize sensitive actions or route account interactions through third-party services without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cloud-mode configuration instructs users to set a remote-service API key and implies account interactions can run on remote servers, but it provides no warning about credential sensitivity, secret storage, or remote data transmission. Users could expose API keys through shell history, logs, screenshots, or misconfigured environments, and may not realize that HelloFresh-related browsing/session data could traverse third-party cloud systems.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill explicitly stores account session data at `~/.openclaw/hellofresh/session.json` but does not warn the user that potentially sensitive account/session information will be persisted locally. This creates a privacy and local-compromise risk because users may not realize credentials or authenticated session artifacts remain on disk after use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that shipment alerts are sent via Telegram when enabled, but it does not provide a clear privacy warning that order/shipment metadata may be disclosed to a third-party messaging platform. Users may unknowingly expose delivery timing and account-linked information outside the original service boundary.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill persists session and recipe data to predictable local files under the user's home directory without any access-control hardening, encryption, or disclosure in this code path. Because the session object contains sensitive subscription, address, payment-method metadata, and preference data, another local process or user with filesystem access could read or tamper with this information.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal