wolt-cli
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for Wolt CLI use, but it deserves review because an external, unreviewed local CLI would handle Wolt tokens/cookies, persist auth data, and mutate account/cart state.
Review the external wolt-cli repository and your local binary before using this skill. Use it read-only first, store credentials only if you trust the tool, avoid sharing verbose logs, and approve cart/profile/address changes only after checking the exact target.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local CLI or profile is misused or compromised, it could access the user's Wolt account data and maintain session access via stored refresh credentials.
This shows the skill can use Wolt access tokens, refresh tokens, cookies, and local auth profiles, and can persist refreshed credentials. Those credentials are not declared in the registry metadata.
wolt configure --profile-name default --wtoken "<token>" --wrtoken "<refresh-token>" --overwrite ... Credential fallback ... `--wtoken`, `--wrtoken`, `--cookie` ... refreshed automatically and persisted back to local config.
Only use this with a trusted and reviewed local CLI, prefer a clearly named profile, avoid passing cookies unless necessary, and remove stored credentials when no longer needed.
The code that receives Wolt credentials and performs account actions is outside this review, so users must trust the external repository and their local binary.
The skill relies on an external repository and local binary that are not included in the reviewed artifact set or pinned by an install spec.
Tool repository: https://github.com/mekedron/wolt-cli Open the repository for setup/build details, then use the local `wolt` binary
Inspect and pin the external CLI version before use, verify its source, and avoid giving it real account credentials until its behavior is understood.
A mistaken or insufficiently scoped command could change the user's Wolt cart, favorites, or address book.
The skill documents account and cart mutations and includes a confirmation rule, so the behavior is purpose-aligned but still requires careful user control.
Request explicit confirmation before mutating commands: `cart add`, `cart remove`, `cart clear` ... `profile favorites add`, `profile favorites remove` ... `profile addresses add`, `profile addresses update`, `profile addresses remove`, `profile addresses use`
Before approving any mutation, confirm the exact profile, venue, item, address, and intended action; keep read-only commands as the default.