ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OurGroceries Integration

v1.0.1

Skill for interacting with OurGroceries.com to manage shopping lists. Use when you need to add items to grocery lists, check existing lists, or synchronize w...

0· 36·0 current·0 all-time
by@poedenon

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for poedenon/ourgroceries.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OurGroceries Integration" (poedenon/ourgroceries) from ClawHub.
Skill page: https://clawhub.ai/poedenon/ourgroceries
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ourgroceries

ClawHub CLI

Package manager switcher

npx clawhub@latest install ourgroceries
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill implements an OurGroceries.com client (vendored Python wrapper) and scripts to add/get/remove items — that matches the stated purpose. However, the registry metadata declares no required environment variables or primary credential, while SKILL.md and all scripts clearly require OURGROCERIES_EMAIL and OURGROCERIES_PASSWORD. That metadata omission is an incoherence and could lead users to hand credentials to a skill that doesn't declare it needs them.
Instruction Scope
SKILL.md and included scripts keep scope to OurGroceries interactions (login, list/item APIs). The skill loads an optional local 'env' file via scripts/load_skill_env.py (uses os.environ.setdefault so it doesn't override existing env vars). The devtools_network_monitor.js is a local debugging snippet that logs POST JSON to the browser console — useful for debugging but can expose sensitive request bodies if copied/shared. No instructions direct data to endpoints other than ourgroceries.com.
Install Mechanism
No remote install/downloads; the repo vendores the client code under lib/ourgroceries and requirements.txt only lists aiohttp. There are no obscure external download URLs or archive extracts in the package.
!
Credentials
The skill requires email/password credentials for OurGroceries (declared in SKILL.md and used by all scripts), which is proportionate to its function. However, the registry metadata failing to list these required environment variables is a serious inconsistency. Storing plain credentials in env is necessary here (site uses email/password), so the user must ensure secure vaulting and that the agent runtime will not leak them.
Persistence & Privilege
The skill does not request always:true, does not alter other skills' config, and only reads/writes its own (vendored) code and an optional local 'env' file. It does modify sys.path at runtime to import the vendored client — expected for a vendored module.
What to consider before installing
This skill appears to implement the advertised OurGroceries functionality, but the registry metadata incorrectly omits the required credentials. Before installing or invoking it: - Treat OURGROCERIES_EMAIL and OURGROCERIES_PASSWORD as highly sensitive. Only provide them via a secure vault or host environment you control; do not paste them into chat or the browser console. - Review the vendored client code in lib/ourgroceries/ yourself (or have a trusted reviewer) to confirm there are no hidden outgoing endpoints or credential exfiltration. The code here posts to ourgroceries.com and reads site HTML for IDs — that is expected, but verify there are no other hosts. - Be cautious with scripts/devtools_network_monitor.js: it logs request bodies to the browser console and can expose sensitive request payloads if you copy/share outputs. Use it only locally and avoid sharing exported JSON. - Ask the publisher/registry to update the skill metadata to declare required env vars (OURGROCERIES_EMAIL, OURGROCERIES_PASSWORD) so automated checks and reviewers are aware. If you cannot verify the vendored client or cannot guarantee secure handling of credentials, do not install or provide credentials to this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk973jbfgv5fqpk45bdr9r9jqtd85m8ys
36downloads
0stars
1versions
Updated 8h ago
v1.0.1
MIT-0
@poedenon
latest
Download

OurGroceries Integration

Overview

This skill provides integration with OurGroceries.com using an unofficial Python wrapper, allowing you to manage your grocery lists through natural language commands. You can add items to lists, check what's on your lists, and synchronize with your OurGroceries.com account.

Setup Required

To use this skill, you need to:

  1. Have an OurGroceries.com account (email and password)
  2. Install aiohttp (see requirements.txt). Scripts load a vendored client from lib/ourgroceries/ (patched for current OurGroceries APIs, including getItemCategory + getLists / auto-categorize parity with the web app).
  3. Configure your credentials securely

Quick Start

Adding Items

To add an item to your grocery list, simply say or type:

  • "Add milk to my grocery list"
  • "I need eggs and bread for shopping"
  • "Put apples on OurGroceries"

Checking Lists

To see what's on your list:

  • "What's on my grocery list?"
  • "Show me OurGroceries"
  • "List items for shopping"

Available Operations

Once configured with your OurGroceries.com credentials, this skill supports:

  • Adding items to specific lists or default list
  • Retrieving items from lists
  • Removing items from lists
  • Marking items as purchased
  • Creating new lists
  • Deleting lists
  • Synchronizing with OurGroceries.com

Resources

scripts/

Contains executable scripts for interacting with OurGroceries.com via the unofficial Python wrapper:

  • add_item.py - Add items to grocery lists
  • get_list.py - Retrieve current list items
  • remove_item.py - Remove items from lists
  • devtools_network_monitor.js - Paste in browser DevTools to log POST JSON (see file header)

references/

Documentation and usage guides:

  • api_reference.md - OurGroceries.com API endpoints and authentication (based on unofficial wrapper)
  • authentication.md - How to obtain and use API credentials (email/password)
  • examples.md - Common usage patterns and examples

Configuration

Before using this skill, you'll need to:

  1. Visit https://www.ourgroceries.com and note your login email and password
  2. Store these credentials securely (we recommend using environment variables or a secure vault)
  3. The scripts will look for credentials in environment variables:
    • OURGROCERIES_EMAIL: Your OurGroceries.com login email
    • OURGROCERIES_PASSWORD: Your OurGroceries.com login password

Notes

This skill uses a vendored copy of the unofficial Python client (based on py-our-groceries) under lib/ourgroceries/, extended for APIs the current web UI uses (getItemCategory for guessed category, then insertItem with that categoryId; getLists instead of legacy getOverview).

If you encounter issues, check the references/ directory for troubleshooting tips and current status.

Example Usage

After setting environment variables:

OURGROCERIES_EMAIL="your@email.com" OURGROCERIES_PASSWORD="yourpassword" \
  python3 /path/to/skill/scripts/add_item.py "milk" -l "My Grocery List"

(add_item.py uses auto-categorize via getItemCategory + insertItem; see AGENTS.md in this skill folder.)

Comments

Loading comments...