Security audit

OurGroceries Integration

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it handles a live OurGroceries account and exposes session/list data in ways users should review before installing.

Install only if you are comfortable giving this skill access to a real OurGroceries account. Use a secure secret store for the email and password, avoid enabling debug logs until the session-cookie logging is removed, and treat remove/delete actions and the DevTools monitor as sensitive because they can change or expose private shopping-list data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill advertises access to environment variables, file reads, and network interaction but does not declare permissions, which weakens transparency and permission boundaries for users and reviewers. In this context, the skill handles third-party account credentials and synchronizes with an external service, so undeclared capabilities materially increase the risk of credential misuse or unintended data access.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation phrases are broad, generic shopping utterances that can easily match normal user speech not clearly intended for this specific third-party integration. That increases the chance of accidental invocation, which in this skill could trigger authenticated actions such as adding, removing, or modifying grocery lists on a live external account.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The description omits a clear warning that the skill performs authenticated network synchronization with a third-party service using stored account credentials. Users may reasonably treat it like a local shopping helper, but it actually transmits data externally and acts on a real account, which raises privacy, account-security, and consent concerns.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code logs the authenticated session cookie value directly in debug output (`_session_key`). Session cookies are bearer credentials, so anyone with access to logs can reuse the cookie to impersonate the user against OurGroceries without needing the password. In a skill/integration context, debug logs may be collected centrally or exposed to operators, making this materially dangerous.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation explicitly instructs use of email/password authentication and notes that credentials must be stored, but it provides no warning about secure handling of those secrets. In an agent skill context, this increases the chance that developers or operators will hardcode, log, or persist credentials insecurely, which could expose the user's OurGroceries account and any connected household data.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The reference lists destructive operations such as deleting lists and deleting crossed-off items without warning that they permanently modify or remove user data. In an agent-driven integration, undocumented destructive capabilities make accidental or unauthorized data loss more likely, especially if an upstream agent invokes actions from natural-language requests without confirmation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This script intentionally hooks XMLHttpRequest and fetch to intercept POST bodies to /your-lists and prints full JSON payloads to the browser console, including an explicit EXPORT line meant for copying or sharing. Even though it is framed as a devtools helper, those request bodies can contain shopping-list contents, account-linked identifiers, and other user data, creating a confidentiality risk through console exposure, screenshots, copy/paste, or shared debugging sessions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script deletes a grocery-list item immediately after matching the provided name, with no confirmation, dry-run mode, or undo safeguard. In this skill’s context, the action is state-changing and potentially irreversible, so a mistaken invocation, ambiguous item match, or automation error can silently remove data the user did not intend to delete.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.