critical
suspicious.dangerous_exec
- Location
- swiggy-cli.js:21
- Finding
- Shell command execution detected (child_process).
Swiggy
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A crafted restaurant query, delivery address, or copied item/restaurant ID could cause the local machine to run commands outside the Swiggy workflow.
Why it was flagged
argsJson contains user-supplied values such as searches, locations, item IDs, and addresses. Because it is inserted into a shell command inside single quotes, an input containing a single quote can break out of the quoting and execute unintended shell commands.
Skill content
const { execSync } = require('child_process'); ... const cmd = `mcporter call --server "${MCP_SERVERS[server]}" --tool "${tool}" --args '${argsJson}'`; return exec(cmd);Recommendation
Do not install until the CLI is fixed to use execFileSync/spawn with an argument array, or otherwise strictly escape and validate all arguments before invoking mcporter.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If approved, the agent can create real COD orders or restaurant bookings that may not be cancelable.
Why it was flagged
The skill intentionally exposes tools that can place real food/grocery orders and bookings. The instructions disclose the impact and require confirmation, so this is purpose-aligned but high-impact.
Skill content
Swiggy MCP currently supports **Cash on Delivery only**. Orders **cannot be cancelled** once placed. Always double-check before confirming.
Recommendation
Only approve after checking the cart, total, address, time, and guest count yourself.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The skill can use the authenticated Swiggy account for searches, carts, orders, and bookings.
Why it was flagged
OAuth account access is expected for a Swiggy ordering integration, but it delegates authority to act through the user's Swiggy account.
Skill content
First use will trigger OAuth flow. Follow the prompts to authenticate with your Swiggy account.
Recommendation
Authenticate only the intended account, review any OAuth prompts, and revoke access if you stop using the skill.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Order history and delivery address information may remain available to future agent sessions or anyone with access to the skill memory files.
Why it was flagged
The skill instructs the agent to persist order details, including delivery address and order ID, in a memory file.
Skill content
After successful order, append to `memory/swiggy-orders.json`: ... "address": "HSR Layout", "orderId": "..."
Recommendation
Inspect or delete the order log when needed, and avoid storing sensitive address details longer than necessary.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Installation may rely on a separately installed mcporter command; using the wrong or untrusted mcporter would affect what the Swiggy CLI actually runs.
Why it was flagged
The skill depends on external runtime tooling and an additional skill even though the registry requirements list no required binaries or install spec.
Skill content
- Node.js ≥ 18 - `mcporter` skill (must be installed)
Recommendation
Install mcporter only from a trusted source and verify the swiggy command resolves to the reviewed local file before use.