Kroger Api.Skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Kroger shopping purpose, but its workflow can let an agent create real pickup orders without an explicit final confirmation step.
Use this only if you are comfortable storing Kroger OAuth credentials locally. Before any order-create action, require the agent to show and confirm the exact items, quantities, store, pickup time, and account impact, and clear or protect state.json after use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could place an unwanted or incorrect grocery pickup order if it chooses the wrong product, quantity, location, or time.
This directs the agent to select products and proceed to ordering without an explicit final user approval step for a real account action.
Agent: for each item search, pick UPC (e.g. first result), add_to_cart, then availability, order.
Require explicit user confirmation before running order-create, including the final UPCs/items, quantities, store, pickup slot, and any expected cost or account impact.
Anyone or any agent with access to the state file may be able to use the saved Kroger session permissions until the tokens are revoked or expire.
The skill requires delegated Kroger API access, including permissions that can create pickup orders, and stores the resulting tokens in a local state file.
Scopes: `product.compact locations.read fulfillment.readwrite orders.pickup.create` ... `state.json`: tokens, cart, location_id.
Keep state.json private, do not share it, revoke tokens if compromised, and use the narrowest Kroger API scopes that still support the intended workflow.
A stale cart or saved location could be reused in a later task and lead to incorrect availability checks or order attempts.
Cart contents and location are persisted across runs, so old state can influence later shopping actions.
self.state['cart'] = cart ... self.state['location_id'] = location_id ... self._save_state()
Review cart-get and the saved location before checkout, and clear cart or reset state.json when switching users, stores, or shopping sessions.