Back to skill

Security audit

Picnic Grocery

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Picnic grocery-account skill, but it handles live credentials and personal account data in ways users should review before installing.

Install only if you are comfortable letting this skill access your Picnic account, cart, delivery slots, delivery history, address, phone, and email. Avoid entering the login command in shared terminals or transcripts, treat ~/.config/picnic/config.json as a sensitive credential file, and do not run debug.mjs unless you understand that it reads your saved token and fetches delivery data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill description says it handles grocery ordering, cart management, and delivery scheduling, but this code also exposes delivery history and account-related data through additional commands. That creates an over-privileged data exposure surface: an agent or user invoking the skill may retrieve personal history and profile information that was not clearly disclosed in the manifest.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The `user` command retrieves and prints personally identifiable information including name, email, phone, address, and household details, but this capability is not reflected in the stated skill scope. In an agent setting, undisclosed access to sensitive profile data is dangerous because it enables silent collection or exfiltration of personal information beyond the expected grocery-ordering workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to pass an email and password directly on the command line (`login <email> <password>`), which can expose credentials through shell history, process listings, terminal logging, and audit tooling. In a skill designed to access a real grocery account, these are live account credentials, so the issue is contextually meaningful rather than theoretical.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists the Picnic authentication token to a local config file, enabling continued account access if that file is read by another local user, backup system, malware, or an over-privileged agent. Although the file is written with mode `0o600`, storing long-lived bearer credentials on disk without explicit disclosure or stronger secret storage increases the risk of account compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `status` path returns personal account data such as first name, last name, email, and address without any explicit privacy prompt or narrow scoping to the minimum necessary information. In the context of an agent skill, this is more dangerous because a seemingly routine status check can disclose sensitive PII to the calling system or logs without the user realizing it.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"picnic": "./picnic-cli.mjs"
  },
  "dependencies": {
    "picnic-api": "^3.2.0"
  }
}
Confidence
95% confidence
Finding
"picnic-api": "^3.2.0"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.