Kroger Api.Skill
v1.0.0Search Kroger/QFC products, manage cart, check pickup availability, and create pickup orders using the official Kroger API.
⭐ 1· 599·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and SKILL.md: the package implements product search, locations, cart management, availability checks, and pickup order creation against api.kroger.com. No unrelated cloud credentials, binaries, or endpoints are requested.
Instruction Scope
SKILL.md directs running scripts/client.py and editing state.json to add client_id/client_secret, and to perform OAuth flow. The instructions and code only read/write the local state.json and grocery-list.txt; they do not attempt to read unrelated system files. Minor inconsistency: usage examples reference 'python3 kroger-api.skill/scripts/client.py' versus the actual path 'scripts/client.py' — ensure you run the correct path. Be aware the workflow requires you to place client credentials in plaintext state.json and the script will persist access/refresh tokens and cart/location state there.
Install Mechanism
This is an instruction-only skill with a bundled Python script (no install spec). It expects Python 3 and the 'requests' library, but the manifest does not declare dependencies. No remote downloads or installers are used. You should ensure your environment has Python and requests; run in an isolated environment if you want to limit risk.
Credentials
The skill does not request unrelated environment variables or external credentials. It requires Kroger OAuth credentials (client_id and client_secret) which are appropriate for the API operations requested. However, those credentials and the OAuth tokens are stored in state.json in plaintext; the requested OAuth scopes include fulfillment.readwrite and orders.pickup.create (able to place orders), so granting the app these scopes gives it power to create pickup orders on your account. This privilege is legitimate for the stated purpose but sensitive — treat credentials and tokens carefully.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide configuration. It writes only to its own state.json (saving tokens, cart, location) which is normal for client tooling. Autonomous invocation is allowed (platform default) — note that autonomous execution + order-creating scopes increases potential impact, but this skill does not combine that with forced always-on presence.
Assessment
What to consider before installing/using this skill:
- It is coherent: it uses the official Kroger API endpoints and OAuth as described.
- Sensitive data handling: you must put client_id and client_secret into state.json and the script will save access/refresh tokens and cart info there in plaintext. Do not commit state.json to version control; store it somewhere secure or use environment-based secrets if preferred.
- OAuth scopes are powerful (can create pickup orders). Only authorize an app you trust and consider creating a dedicated Kroger developer app with limited access or revoking tokens after testing.
- Dependencies: ensure Python 3 and the 'requests' package are available; the package does not declare these automatically.
- Run in an isolated environment (local sandbox, dedicated VM, or container) if you are concerned about side effects. Test with non-production or test credentials first.
- Verify the redirect URI and the OAuth flow yourself; the script prints the auth URL and performs the token exchange locally.
- If you want stricter security, modify the code to load credentials from environment variables or a secure store and avoid storing client_secret in repository files.
Overall: this appears benign and does what it claims, but handle credentials and OAuth scopes carefully.Like a lobster shell, security has layers — review code before you run it.
latestvk9717gxcn4h16hw6e5c5yw6wr5819bj2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.