Ordercli
v1.0.0Foodora-only CLI for checking past orders and active order status (Deliveroo WIP).
⭐ 3· 7.9k·948 current·974 all-time
byPeter Steinberger@steipete
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to be a thin CLI for Foodora/Deliveroo. That purpose can legitimately require login/session data and an installed binary. However, the registry metadata at the top-level lists no required binaries, no config paths, and no env vars, yet the SKILL.md and its embedded metadata expect the 'ordercli' binary and suggest Homebrew/Go install methods. This mismatch between declared requirements and the instructions is a coherence problem.
Instruction Scope
SKILL.md instructs use of browser-based login, reusing a browser profile path ($HOME/Library/Application Support/ordercli/browser-profile), and importing Chrome cookies from a Chrome profile. Those actions involve reading local browser profiles and cookies (sensitive personal/session data). The instructions also show a Deliveroo bearer token option and password stdin usage. The registry does not declare access to any config paths or secrets, so the instructions widen scope beyond the skill's declared boundaries.
Install Mechanism
The SKILL.md's embedded metadata proposes install via a Homebrew tap (steipete/tap/ordercli) or a Go module from github.com/steipete/ordercli. These are standard distribution channels (lower risk than arbitrary download URLs). The registry, however, lists no install spec while SKILL.md does — the inconsistency should be resolved. You should verify the Homebrew tap and GitHub repo before installing.
Credentials
Top-level registry fields declare no required env vars, but SKILL.md mentions a DELIVEROO_BEARER_TOKEN (and optional DELIVEROO_COOKIE) for Deliveroo support. The instructions also imply supplying email/password (via --password-stdin) and importing browser cookies/profiles. Requesting/using tokens, cookies, or browser profiles is sensitive and should be explicitly declared; its absence is a red flag.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide modifications. It recommends reusing a browser profile path and allows storing a config (e.g., --config /tmp/ordercli.json), but it does not demand permanent presence or modify other skills. No elevated platform privileges are requested in the registry.
What to consider before installing
Before installing or enabling this skill: (1) Verify the upstream project and Homebrew tap (steipete/ordercli) and review source code on GitHub — the SKILL.md suggests installs come from those sources. (2) Be cautious about supplying browser profiles, Chrome cookies, or bearer tokens — these contain session/auth data that can access your accounts; only use cookie/profile import in a controlled environment or with throwaway accounts. (3) Prefer manual use of the ordercli binary rather than granting an agent automatic access; if you do allow the agent to run it, restrict the agent's file access so it cannot read your actual browser profile directory. (4) If you need Deliveroo support, only provide DELIVEROO_BEARER_TOKEN after reviewing why it's needed. (5) If you are unsure, run ordercli in an isolated VM or container and inspect network activity and stored config files before trusting it with real credentials. The main red flags are the mismatch between declared registry requirements and the SKILL.md instructions (sensitive file/cookie access and an undocumented env var).Like a lobster shell, security has layers — review code before you run it.
latestvk970jbd7wh96zwhqbezd8ypbxs7yktyc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛵 Clawdis
Binsordercli
Install
Install ordercli (brew)
Bins: ordercli
brew install steipete/tap/ordercliInstall ordercli (go)
Bins: ordercli
go install github.com/steipete/ordercli/cmd/ordercli@latest