ClawHub

Supermarket

Security checks across malware telemetry and agentic risk

Overview

This grocery skill appears purpose-built rather than malicious, but it needs review because it handles reusable Kroger login tokens through a hosted proxy and asks agents to persist them.

Review before installing if you plan to use cart or profile features. Product and store searches are lower risk; account features require Kroger login and expose refresh tokens to the hosted proxy and, per the skill instructions, to agent long-term memory. Prefer self-hosting or local CLI mode with your own Kroger credentials for tighter control, avoid saving refresh tokens in agent memory unless you know how to remove or revoke them, and require confirmation before any cart changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (34)

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The description understates important behavior, especially the use of a third-party hosted OAuth proxy and token brokerage/refresh flows. Even if the behavior is related to grocery functionality, omitting credential-handling and proxy mediation reduces informed consent and can mislead users about where their authentication data and tokens are processed.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to persist a user's Kroger refresh token in long-term memory, which creates durable credential storage beyond the immediate session. A refresh token can be used to regain access to profile and cart data across sessions, so compromise of memory storage or misuse by the agent would extend account access significantly.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The handler accepts a caller-supplied `scope` query parameter and forwards it directly into the OAuth authorization request without server-side allowlisting. An attacker can request broader Kroger permissions than intended by the skill, causing users to consent to excessive access and potentially granting the application capabilities beyond its stated grocery-shopping purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This endpoint returns raw access and refresh tokens over an unauthenticated HTTP GET response. Exposing bearer credentials directly is highly sensitive because anyone who learns or guesses a valid session_id can obtain reusable tokens and act as the user, and this capability is especially risky in a grocery-shopping skill where returning OAuth credentials to arbitrary callers is not obviously required for user-facing functionality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The function accepts any GET request, takes a session_id from the query string, and uses it to look up completed session records containing tokens, with no authentication, authorization, origin validation, or proof of possession. This creates an insecure direct object reference: if an attacker obtains, predicts, or intercepts a session_id, they can retrieve the associated credentials and access the linked account.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code can transmit a Kroger OAuth login URL through Telegram, a third-party messaging service unrelated to the stated grocery-shopping functionality. OAuth URLs commonly carry sensitive state, codes, or account-linking context, so routing them through Telegram increases exposure to bot compromise, chat misdelivery, logging, and unintended third-party retention.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The tests explicitly validate functionality that sends login URLs through Telegram, including support for externally supplied bot tokens/chat IDs via OPENCLAW_* environment variables. For a grocery-shopping skill, exfiltrating authentication links to Telegram is unrelated to the declared purpose and strongly suggests an out-of-band credential capture or session hijacking channel.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This skill is for grocery search, store lookup, cart, and profile management, yet it includes Telegram bot configuration and an environment-driven integration for sending login URLs. That introduces an unrelated outbound messaging channel that could be used to exfiltrate authentication links, tokens, or account data, which is especially suspicious because it is outside the declared user-facing functionality.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This file implements outbound Telegram Bot API messaging, which is unrelated to the declared grocery-shopping functionality of the supermarket skill. Hidden external messaging channels are dangerous because they can be used to exfiltrate user data, cart contents, profile data, or credentials to an undisclosed third party, and the mismatch with the manifest materially increases suspicion.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code sends arbitrary text to Telegram but the skill description does not disclose any Telegram integration, creating an undisclosed outbound data flow. In the context of a supermarket skill that may handle shopping activity, store preferences, account/profile details, or login-adjacent data, this hidden channel could be used for covert data exfiltration or operational command-and-control.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The token endpoint explicitly supports the client_credentials grant, which allows the skill to mint app-level tokens without end-user approval. For a consumer grocery assistant, that creates unnecessary capability to access non-user-approved API surfaces and broadens the trust boundary beyond the stated user-centric purpose.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly says the tool 'works out of the box' via a hosted OAuth proxy and that browser login for cart/profile uses hosted mode, but it does not clearly warn users that searches, OAuth exchanges, and potentially account-linked actions may transit through infrastructure operated by a third party. In a grocery/profile/cart skill, this can expose shopping behavior, location lookups, and account-related metadata to the proxy operator, creating privacy and trust risks even if the proxy is functioning as intended.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README states that `krocli auth login` stores a refresh token but gives no warning that this token is sensitive and can be used to maintain account access if stolen. Because the skill supports cart and identity/profile operations, compromise of the stored token could allow unauthorized access to personal profile data and modification of the user's grocery cart.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Broad triggers like generic grocery-shopping terms can cause unintended invocation of a skill that performs account-linked actions and external requests. In this context, accidental routing matters because the skill can initiate login flows, use stored tokens, and access profile/cart functionality, increasing the chance of surprise data handling.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill directs long-term storage of a refresh token without a clear, explicit warning and consent flow for persistent credential retention. Because refresh tokens enable continued account access, retaining them silently or implicitly materially increases privacy and security risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The endpoint transmits highly sensitive credentials—both access and refresh tokens—directly in the HTTP response. Even if sent over HTTPS, returning long-lived credentials to callers increases exposure through browser history, client logs, proxies, debugging tools, and any compromised front-end context, making account takeover significantly easier if mishandled.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function prompts for a Telegram bot token and chat ID, then saves them persistently without any warning that these are sensitive credentials. Storing a bot token expands the attack surface because anyone who obtains it can control the bot or read/send messages through that integration, potentially exposing future authentication links or other sensitive data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The hosted refresh path sends the user's refresh token to an application-controlled proxy service (`/tokenRefresh`) rather than directly to Kroger. A refresh token is a long-lived credential, so proxy access materially expands the trust boundary and creates account-takeover risk if the proxy, logs, or telemetry are compromised; there is no in-file disclosure or consent mechanism to make users aware of this handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs transmission of base64-encoded client credentials and receipt of access/refresh tokens but provides no warning against logging, embedding, or exposing these secrets. In practice, developers often copy examples into debugging or client-side code, which can leak long-lived credentials or tokens and enable unauthorized API access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented operation performs a state-changing action on behalf of an authenticated customer by adding items to their cart, but the spec does not include an explicit warning or confirmation requirement for user-impacting changes. In an agent setting, this increases the risk of unintended purchases or silent cart manipulation if the tool is invoked from ambiguous prompts.

Ssd 3

High
Confidence
96% confidence
Finding
Persisting a refresh token enables the system to re-establish authenticated sessions and access personal account data over time without a fresh login. In a grocery skill, that means ongoing access to profile and cart data that exceeds a one-time transactional need and broadens the blast radius of any compromise.

External Transmission

Medium
Category
Data Exfiltration
Content
After the user says they've logged in, poll for their tokens:

```bash
curl -s "https://us-central1-krocli.cloudfunctions.net/tokenUser?session_id=SESSION_ID"
```

- If `{"status": "pending"}` with HTTP 202: user hasn't finished yet. Wait and retry.
Confidence
88% confidence
Finding
curl -s "https://us-central1-krocli.cloudfunctions.net/tokenUser?session_id=SESSION_ID" ``` - If `{"status": "pending"}` with HTTP 202: user hasn't finished yet. Wait and retry. - If HTTP 200: tokens

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer USER_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  "https://api.kroger.com/v1/cart/add" \
  -d '{"items": [{"upc": "0011110838049", "quantity": 1}]}'
```
Confidence
78% confidence
Finding
https://api.kroger.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
curl -s -H "Authorization: Bearer USER_ACCESS_TOKEN" \
  -H "Accept: application/json" \
  "https://api.kroger.com/v1/identity/profile"
```

## Refreshing an Expired User Token
Confidence
81% confidence
Finding
https://api.kroger.com/

Credential Access

High
Category
Privilege Escalation
Content
func defaultOpenKeyring() (keyring.Keyring, error) {
	return keyring.Open(keyring.Config{
		ServiceName:     serviceName,
		AllowedBackends: []keyring.BackendType{keyring.KeychainBackend, keyring.SecretServiceBackend, keyring.WinCredBackend, keyring.FileBackend},
		FileDir:         defaultFileDir(),
		FilePasswordFunc: keyring.FixedStringPrompt("krocli"),
	})
Confidence
82% confidence
Finding
keyring

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal