Back to skill

Security audit

Swiggy

Security checks across malware telemetry and agentic risk

Overview

This Swiggy skill appears purpose-built for food, grocery, and booking workflows, but its commerce authority and CLI execution pattern need careful review before installation.

Install only if you are comfortable connecting a Swiggy account and letting the agent send delivery, location, cart, and booking details to Swiggy MCP servers. Keep the host runtime patched, require explicit confirmation before any purchase or booking, and avoid using this skill until the CLI shell invocation is replaced with an argument-array subprocess call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The CLI builds a shell command string and passes it to child_process.execSync, interpolating user-controlled values such as tool arguments into the command. Although JSON.stringify and quoting reduce some risk, this remains dangerous because shell parsing still occurs and malformed input containing quotes can break out of the intended argument boundary, potentially leading to command injection on the local machine.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill explicitly uses OAuth and sends requests to Swiggy-hosted HTTP MCP endpoints, but the README does not clearly disclose that account, address, search, order, and location-related data will be transmitted to third-party services. This is a transparency and privacy issue: users may authenticate or provide sensitive delivery details without understanding what leaves the local agent environment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger examples are broad, natural-language phrases like "Order biryani" and "Get eggs and milk" that overlap with common user requests. In an agent environment, this can cause the skill to activate unexpectedly for ordinary conversation and move the agent into a transaction-capable workflow, increasing the chance of unintended ordering or unnecessary exposure of location/address context.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {},
  "peerDependencies": {
    "clawdbot": "*"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
96% confidence
Finding
"clawdbot": "*"

Known Vulnerable Dependency: clawdbot — 10 advisory(ies): CVE-2026-26317 (OpenClaw affected by cross-site request forgery (CSRF) through loopback browser ); GHSA-chm2-m3w2-wcxm (OpenClaw Google Chat spoofing access with allowlist authorized mutable email pri); CVE-2026-26328 (OpenClaw iMessage group allowlist authorization inherited DM pairing-store ident) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
clawdbot

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
swiggy-cli.js:21