Bring! Shoppinglist

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill appears to match its purpose of managing Bring! shopping lists, but it requires Bring! credentials and an unpinned third-party Python package.

Install only if you are comfortable giving the skill access to your Bring! account. Store credentials carefully, prefer a pinned dependency version, and specify the target shopping list when asking the agent to add, remove, or complete items.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If the stored password or environment variables are exposed, another process or user could access and modify the Bring! shopping lists for that account.

Why it was flagged

The skill requires Bring! account credentials even though the registry metadata declares no required credentials or env vars. This is purpose-aligned, but users should recognize that the password grants account access.

Skill content

Configure credentials — set env vars `BRING_EMAIL` and `BRING_PASSWORD`, or create `~/.openclaw/credentials/bring.json`

Recommendation

Declare the credential requirements in metadata, store the credential file with restrictive permissions, and avoid reusing a high-value password where possible.

Low

#ASI02: Tool Misuse and Exploitation

What this means

A mistaken or ambiguous invocation could change the wrong list item or mark an item complete unintentionally.

Why it was flagged

The CLI can change remote Bring! list contents by adding, removing, or completing items. This is the stated purpose, but it is still mutation authority over account data.

Skill content

await bring.batch_update_list(list_uuid, bring_item, BringItemOperation.ADD) ... BringItemOperation.REMOVE ... await bring.complete_item(list_uuid, target_uuid)

Recommendation

Use clear user requests for mutations, specify `--list` or set `BRING_LIST`, and ask for confirmation before ambiguous remove or complete actions.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Future package changes or a compromised dependency could affect how credentials and shopping-list actions are handled.

Why it was flagged

The setup relies on an unpinned third-party package that is outside the reviewed skill artifacts. The dependency is central to the skill, but its exact installed version is not fixed.

Skill content

python3 -m pip install bring-api ... Based on [`miaucl/bring-api`](https://github.com/miaucl/bring-api) (unofficial Bring! API, MIT license).

Recommendation

Install in a virtual environment, pin a reviewed `bring-api` version, and verify the package source before use.