ClawHub

Bring! Shopping List

v1.2.5

Manage Bring! shopping lists (Einkaufsliste / grocery list) — add, remove, check off items, batch ops, default list support. Use when: user wants to set up B...

2· 729·1 current·1 all-time
by@maikimolto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided files: a single bash CLI (scripts/bring.sh) that uses curl + jq to call the Bring! REST API. Required capabilities (credentials, local config files, token cache) are expected for this purpose and nothing unrelated (no cloud provider keys, no unrelated binaries) is requested.
Instruction Scope
SKILL.md stays within scope (setup, storing credentials locally, listing/adding/removing items). It explicitly tells the agent how to obtain and store Bring! email/password and how to run the script. Important privacy note: SKILL.md offers two flows — entering credentials in chat (agent writes them to ~/.config/bring/credentials.json) or entering them locally via a provided terminal command. Allowing credentials to be pasted into chat is a privacy risk (chat logs/platform storage may retain them); the guidance to prefer terminal input for privacy is appropriate. There are no instructions to transmit credentials to any endpoint other than Bring!'s API (api.getbring.com).
Install Mechanism
No remote install/download steps — the skill is instruction-only plus a bundled shell script. Nothing is fetched from arbitrary URLs or written to unexpected system locations. The script creates/uses user-scoped config/cache files under ~/.config and ~/.cache only.
Credentials
The skill legitimately requires Bring! credentials (email/password) and may accept BRING_EMAIL/BRING_PASSWORD env vars; these are proportional to its functionality. No unrelated or excessive environment variables or external service credentials are requested.
Persistence & Privilege
always:false (not force-included). The script stores a token cache (~/.cache/bring/token.json) and credentials (~/.config/bring/credentials.json) with recommended file permissions (chmod 600). It does not request elevated system privileges or modify other skills' configs.
Assessment
This skill appears to do what it says, but it requires your Bring! email and password. Prefer the 'Option B — via terminal' path so credentials never appear in chat or the platform logs. Before installing or running: (1) review scripts/bring.sh yourself (it's included) to confirm it's acceptable, (2) run it only on a trusted machine (not a shared or public CI runner), (3) store credentials with the recommended file permissions (chmod 600), (4) be aware that changes sync instantly to shared lists (others will see edits), and (5) verify network traffic goes only to api.getbring.com. If you want extra safety, create a dedicated Bring! account for automation rather than using your primary account.

Like a lobster shell, security has layers — review code before you run it.

latestvk974qn4gxw1bb37mmxq2pcp65181k1mb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments