Bring! Shoppinglist
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: bring-app Version: 1.0.1 The skill bundle provides a legitimate CLI interface for managing Bring! shopping lists using the 'bring-api' library. The Python script (bring.py) handles credentials locally via environment variables or a configuration file and communicates only with the Bring! API as intended, with no evidence of malicious behavior, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the stored password or environment variables are exposed, another process or user could access and modify the Bring! shopping lists for that account.
The skill requires Bring! account credentials even though the registry metadata declares no required credentials or env vars. This is purpose-aligned, but users should recognize that the password grants account access.
Configure credentials — set env vars `BRING_EMAIL` and `BRING_PASSWORD`, or create `~/.openclaw/credentials/bring.json`
Declare the credential requirements in metadata, store the credential file with restrictive permissions, and avoid reusing a high-value password where possible.
A mistaken or ambiguous invocation could change the wrong list item or mark an item complete unintentionally.
The CLI can change remote Bring! list contents by adding, removing, or completing items. This is the stated purpose, but it is still mutation authority over account data.
await bring.batch_update_list(list_uuid, bring_item, BringItemOperation.ADD) ... BringItemOperation.REMOVE ... await bring.complete_item(list_uuid, target_uuid)
Use clear user requests for mutations, specify `--list` or set `BRING_LIST`, and ask for confirmation before ambiguous remove or complete actions.
Future package changes or a compromised dependency could affect how credentials and shopping-list actions are handled.
The setup relies on an unpinned third-party package that is outside the reviewed skill artifacts. The dependency is central to the skill, but its exact installed version is not fixed.
python3 -m pip install bring-api ... Based on [`miaucl/bring-api`](https://github.com/miaucl/bring-api) (unofficial Bring! API, MIT license).
Install in a virtual environment, pin a reviewed `bring-api` version, and verify the package source before use.