Picnic Grocery
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The Picnic grocery skill is mostly purpose-aligned, but it handles Picnic account credentials in a risky way by printing an auth token during 2FA and asking for the password on the command line.
Use this skill only if you are comfortable giving it access to your Picnic account. Do not run the documented login command in a shared shell, and avoid using it until the authKey output during 2FA is removed or masked. Confirm every cart or delivery-slot change before letting the agent execute it.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the printed auth key may be able to access the Picnic account through this API until the key expires or is revoked.
When 2FA is required, the CLI writes the Picnic auth key to config and also prints that auth key in JSON output. That session credential can enter the agent transcript, shell logs, or other command-output captures.
saveConfig({ authKey: result.authKey, countryCode, needs2FA: true }); ... output({ status: '2fa_required', ... authKey: result.authKey });Do not print authKey values. Store tokens only in a protected credential store or local config, mask sensitive output, and document how users can revoke or rotate the Picnic session.
A Picnic password could be accidentally recorded or exposed outside the user's intended login session.
The documented login method asks for the Picnic password as a command-line argument. Command-line secrets can be exposed through shell history, process listings, or logs.
node {baseDir}/picnic-cli.mjs login <email> <password> DEPrompt for the password interactively, read it from a secure secret source, or use an OAuth/device-code style flow instead of placing it directly on the command line.
The agent can add or remove groceries, clear the cart, or reserve/change a delivery slot if the user approves or if the agent invokes the command incorrectly.
The CLI can directly change the user's Picnic cart and selected delivery slot. This is aligned with the skill purpose, and SKILL.md says to confirm first, but the commands perform the change once invoked.
await client.addProductToShoppingCart(productId, parseInt(count, 10)); ... await client.clearShoppingCart(); ... await client.setDeliverySlot(slotId);
Only allow cart or slot changes after an explicit user confirmation that includes product names, quantities, total price, and delivery window.
Personal delivery and contact information may be shown in the agent conversation or command logs.
The user-info command outputs personal account details including contact information and address. This is expected for a grocery delivery integration, but it is sensitive account data.
output({ firstName: user.firstname, lastName: user.lastname, email: user.contact_email, phone: user.phone, address: user.address, householdSize: user.household_details?.adults });Ask before displaying full profile details and avoid showing address, phone, or household data unless needed for the current task.
If someone runs this helper, it will use the saved Picnic session to query delivery data unrelated to a user-directed delivery ID.
An undocumented debug helper reads the saved auth config and fetches a hard-coded delivery ID. It is not referenced by SKILL.md or package.json as a runnable command, so it does not appear automatic, but it is unexpected account-access code.
const delivery = await client.getDelivery('tmx2f3xiti');Remove the debug file from the published skill or document it clearly and require an explicit user-provided delivery ID.
The installed npm package becomes part of the account-access path for the Picnic credentials.
The skill installs a third-party npm package to access Picnic. This is purpose-aligned and package-lock.json includes integrity data, but it is still external dependency trust.
"dependencies": { "picnic-api": "^3.2.0" }Install with the included lockfile, keep dependencies reviewed, and prefer exact dependency pinning for account-integrated skills.