Anylist
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: anylist Version: 0.1.0 The skill bundle is classified as benign. All instructions in SKILL.md, including the installation of `anylist-cli` via npm and the setup for authentication using environment variables, are directly aligned with the stated purpose of managing AnyList. There is no evidence of prompt injection attempts against the agent, data exfiltration, malicious execution, persistence mechanisms, or any other intentional harmful behavior. The required access to credentials and the use of shell commands are necessary for the skill's legitimate function.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI is necessary to use the skill, but it means trusting that npm package on the local system.
The skill asks the user to install a global npm CLI package as its operating mechanism. This is central to the stated purpose, but users should notice the external package dependency.
npm install -g anylist-cli
Install only from a trusted npm source, verify the package name and publisher, and keep the CLI updated.
The CLI may be able to read and modify the user's AnyList shopping lists after authentication.
The skill requires access to the user's AnyList account through interactive authentication or optional email/password environment variables. This is expected for managing an AnyList account, but it is sensitive account access.
anylist auth # Or set environment variables for non-interactive use export ANYLIST_EMAIL="your@email.com" export ANYLIST_PASSWORD="your-password"
Prefer interactive authentication where possible, avoid exposing the password unnecessarily, and only use the skill with an account you intend it to manage.
A mistaken list or item name could remove or clear shopping-list entries the user wanted to keep.
The skill documents commands that can remove items or clear checked items from a list. These actions are purpose-aligned for list management, but they mutate user data.
anylist remove "Grocery" "Milk" # Remove from list anylist clear "Grocery" # Clear all checked items
Use these commands only in response to clear user intent, and confirm ambiguous remove or clear requests before acting.