Back to skill

Security audit

Lieferando Cli

Security checks across malware telemetry and agentic risk

Overview

This is mostly a coherent read-only food-delivery lookup skill, but it keeps user location and cart data in local files without clear user-facing disclosure or controls.

Review this before installing if you may enter home, work, or other sensitive addresses. Prefer postcode-only lookups when possible, and be aware that the skill can leave cart data and geocoded address history in local files under the user home directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill invokes a bundled Node script that performs network access and may read environment state, yet the manifest does not explicitly declare those capabilities. Undeclared capabilities undermine least-privilege review and can hide data flows or outbound requests from users and platform policy checks. In this context the functionality is expected to need network access, which lowers suspicion somewhat, but the missing declaration is still a real security transparency issue.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The CLI imports and exposes local cart mutation operations (`cart add`, `cart clear`) even though the skill is described as read-only discovery only. This creates a capability/manifest mismatch that can mislead an orchestrator or user into granting or invoking behavior they did not consent to, especially if downstream systems rely on the declared read-only scope for safety decisions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The usage text explicitly states the tool is read-only and cannot perform stateful actions, but the command surface includes `cart add` and `cart clear`, which modify persistent local state. Misleading safety claims are dangerous because agents and users may trust the declaration and invoke the skill in contexts where any mutation, even local-only, is prohibited.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code caches user-supplied addresses and derived geolocation data to disk in the user's home directory, which creates a privacy-sensitive local data store beyond the stated read-only discovery behavior. Even if intended for performance, persisting location history can expose sensitive address information to other local users, backups, or later compromise of the host.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
Writing geocoding data into a user-home cache directory introduces local persistence of potentially sensitive location information that is not strictly necessary for food-discovery functionality. The main risk is privacy leakage through local filesystem access, system backups, or unintended retention.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function sends the full free-text address to OpenStreetMap Nominatim, which is a third-party service, without any indication in this file that users are informed or consent to that disclosure. Addresses are highly sensitive personal data, so silent transmission to an external provider creates a real privacy risk even if required for geocoding.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The module writes address-derived geocoding results to a local JSON cache without any visible notice or opt-in in this file, creating silent retention of location-related data. This increases exposure because sensitive places can remain on disk long after the immediate command finishes.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.