Apo Cli
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for apohealth product search and cart management, but users should notice that it sends medication/cart activity to apohealth, can modify a remote cart, stores local cart/session files, and includes a public Shopify storefront token in documentation.
Before installing, confirm you are comfortable sending pharmacy searches and cart actions to apohealth.de. Do not treat this as medical advice, review products and prices yourself, and complete checkout only in your own browser. If you use the cart features, consider deleting apo_cookies.json and apo_cart.json afterward, and avoid installing from the unpinned GitHub command unless you verify the exact code.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may add, remove, or clear pharmacy products in a cart if invoked for those workflows, though the artifacts do not show it completing a purchase.
The CLI can send POST requests that mutate the apohealth.de cart. This is purpose-aligned for cart management, but it affects a real commerce cart.
status, result = client.post("/cart/add.json", data)Only allow cart-changing commands after an explicit user request, and keep the SKILL.md rule requiring confirmation before clearing the cart.
Anyone with access to the skill directory may be able to see or reuse local apohealth cart/session state, which can reveal medication-related interests.
The tool stores apohealth cookies and a cart token in persistent local files, which can contain session/cart state tied to pharmacy shopping activity.
COOKIES_FILE = SCRIPT_DIR / "apo_cookies.json" CART_FILE = SCRIPT_DIR / "apo_cart.json"
Tell users where these files are stored, avoid using logged-in account cookies, and delete the local cookie/cart files when the cart session is no longer needed.
Medication searches and cart contents may be visible to apohealth.de as part of normal use.
Search queries, PZN lookups, and cart actions are sent to the apohealth.de provider API. This is expected for the skill, but the content can be health-sensitive.
BASE_URL = "https://www.apohealth.de"
Use the skill only when you are comfortable sending the requested medication/product information to apohealth.de.
The token may allow public storefront API access for apohealth.de, depending on its Shopify scope.
The research notes include a Shopify Storefront access token and describe it as publicly present in HTML. It is not a user credential, but it is still a provider API token.
Storefront API Token: `...` (öffentlich im HTML)
Verify that this token is intended to be public and remove or redact it from distributed documentation if it is not needed by the skill.
Installing from the live GitHub URL could fetch code different from the reviewed artifact.
README.md suggests installing from an unpinned GitHub repository, while the registry metadata lists the source as unknown and SKILL.md uses a bundled script.
uv tool install git+https://github.com/Lars147/apo-cli
Prefer the bundled reviewed script, or pin any external install to a reviewed commit or release.