Food402 - TGO Yemek
WarnAudited by ClawScan on May 10, 2026.
Overview
This food-ordering skill is coherent, but it can use your TGO account to change addresses, cart, and payments while caching account tokens in predictable temporary files.
Review this skill carefully before installing. It is aligned with ordering food, but it can access your TGO account, saved addresses, cart, order history, and payment flow. Use it only on a trusted machine, clear `/tmp/food402-token` after use, provide the Google API key only if you need that feature, and insist on explicit confirmation before checkout or payment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-eager agent action could modify the account, cart, address state, or payment flow for a real food order.
The helper can send arbitrary state-changing requests to the TGO and payment API bases using the user's bearer token, rather than only narrowly scoped, validated operations.
Methods: get, post, put, delete, payment-get, payment-post ... payment-post) api_request "POST" "${PAYMENT_API_BASE}${2}" "${3:-}" "true"Only use this skill when you intend to place an order, and require an explicit final confirmation before any checkout or payment request.
On a shared or compromised machine, another local process or user may be able to read the token and access the TGO account until it expires.
The TGO bearer token is written to a predictable file in `/tmp` without visible chmod or private storage controls.
TOKEN_FILE="/tmp/food402-token" ... echo "$token" > "$TOKEN_FILE"
Use this only on a trusted single-user machine, clear the token after use, and prefer private credential storage or file permissions such as owner-only access.
The payment verification page may run scripts in your browser and may briefly exist as a local temporary file.
The 3D Secure handler writes provider-supplied HTML to a temporary file and opens it in the system browser, which is expected for 3D Secure but still executes browser content outside the agent.
echo "$HTML_CONTENT" > "$TEMP_FILE" ... open "$TEMP_FILE" ... xdg-open "$TEMP_FILE"
Verify the browser page is from the expected payment flow and avoid using this on untrusted or shared systems.
You have less provenance information to verify who maintains the integration before sharing credentials with it.
The registry metadata does not provide an upstream source or homepage for verification, which is noteworthy because the skill asks for food-delivery account credentials.
Source: unknown; Homepage: none
Review the included scripts and only provide credentials if you trust the publisher and endpoints.