Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Food402 - TGO Yemek
v1.0.0Order food from TGO Yemek (Trendyol GO), Turkey's leading food delivery service. Use when user wants to order food delivery in Turkey, browse restaurants, search for foods, manage delivery addresses, check order history, or checkout with 3D Secure payment.
⭐ 0· 1.6k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, and included scripts implement a Trendyol GO (TGO Yemek) ordering flow (auth, address management, cart, payment). Requiring TGO_EMAIL and TGO_PASSWORD is consistent with needing to authenticate to the service. GOOGLE_PLACES_API_KEY is plausible for optional Google Reviews functionality, but see environment_proportionality note below.
Instruction Scope
SKILL.md and the scripts instruct only to call TGO endpoints (tgoyemek.com, api.tgoapis.com, payment.tgoapps.com), manage addresses/cart, and open 3D Secure HTML in the system browser. The workflows and required step ordering are explicit; the skill does not instruct reading unrelated system files or exfiltrating arbitrary data.
Install Mechanism
No install spec (instruction-only with bundled scripts) — low risk from installation. All code is included in the skill bundle; there are no network downloads or archive extraction steps in the install phase.
Credentials
TGO_EMAIL and TGO_PASSWORD are needed to perform login — proportionate but high-sensitivity. The metadata declares GOOGLE_PLACES_API_KEY as required, yet SKILL.md calls it optional for Google Reviews; this mismatch should be resolved. Required binaries list includes openssl (not used by scripts) and jq (used only in example CLI pipes), so the declared binaries are slightly broader than what the scripts themselves use.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide config. It caches the received auth token in /tmp (TOKEN_FILE and EXPIRY_FILE) and writes a temporary HTML file for 3D Secure which it attempts to delete after 5 minutes — these are expected behaviors for this use case but involve local storage of sensitive tokens.
Assessment
This skill appears to do what it claims (log in to Trendyol GO, browse, add to cart, and handle 3D Secure). Before installing: 1) Only install if you trust the source — the skill requires your Trendyol email and password (sensitive). Consider using an account you can revoke or rotate. 2) Store env vars securely (avoid committing them); the skill caches the service token in /tmp where other local users could possibly read it. 3) The metadata lists GOOGLE_PLACES_API_KEY as required but SKILL.md marks it optional — you can likely omit it unless you need Google review lookups. 4) The declared required binaries include openssl though the scripts do not use it; this is likely harmless but odd. 5) If you have concerns, inspect the scripts yourself (they are included) or run them in an isolated environment first. If you want me to, I can point out exact lines to review or suggest safer deployment patterns (e.g., ephemeral credentials, stricter temp-file permissions).Like a lobster shell, security has layers — review code before you run it.
latestvk97cmnxcm6fw9v5rf5930as2z180fx7m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🍕 Clawdis
Binscurl, jq, openssl
EnvTGO_EMAIL, TGO_PASSWORD, GOOGLE_PLACES_API_KEY
Primary envTGO_EMAIL