ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Strider Kroger

Shop Kroger via Strider Labs MCP connector. Search groceries, clip digital coupons, manage cart, order pickup or delivery. Complete autonomous grocery shoppi...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 35 · 1 current installs · 1 all-time installs
by@markswendsen-code
MIT-0
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the SKILL.md functionality (Kroger shopping, coupons, cart, checkout). However the SKILL.md explicitly says an OAuth flow and saved payment methods are used, yet the registry metadata lists no required credentials, no primary credential, and no required config paths. The skill should have declared the OAuth tokens/credentials or at least a primaryEnv to reflect that reality.
Instruction Scope
SKILL.md stays on-topic for a Kroger connector (search, coupons, cart, checkout). It does instruct an OAuth authorization flow and claims tokens are stored encrypted per-user — but it does not specify OAuth client IDs/secrets, scopes, where/how tokens are persisted, or how payment methods are accessed/authorized. Lack of detail gives the agent broad discretion during auth/checkout steps.
!
Install Mechanism
The skill is instruction-only in the registry but instructs users/agents to install/run the npm package @striderlabs/mcp-kroger via npm/npx. Running npx @striderlabs/mcp-kroger will fetch and execute package code at runtime; the MCP config shown uses npx without a pinned package version (risk of unexpected updates). Using npm/npx is expected for this type of connector, but the registry entry should have made this explicit and ideally recommend pinned versions or provide a vetted install spec.
!
Credentials
No required env vars are declared, yet the connector requires an OAuth flow and will access user account data and saved payment methods during checkout. The lack of declared credentials (OAuth tokens, client secret, or a primary credential) is a proportionality gap: the skill will need sensitive access but the registry metadata doesn't surface that fact.
Persistence & Privilege
always is false and the skill does not request system-wide or always-on privileges. It mentions storing tokens encrypted per-user (reasonable for an OAuth connector), but does not claim to modify other skills or global agent settings.
What to consider before installing
This skill appears to do what it says (Kroger shopping) but has important omissions you should resolve before installing. Verify the npm package and its publisher (check the package page, repository, and recent versions), prefer a pinned package version, and review the package source to see what it does when executed via npx. Ask the provider to document the OAuth flow, required scopes, where tokens and payment details are stored, and any environment variables needed. Treat npx execution of third‑party packages as potentially risky — run in a sandbox or CI with limited privileges if you must test it. If you use this skill for real purchases, confirm how stored payment methods are accessed/consented and whether you can restrict or review authorization scopes.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97c4151gx6dtf8q5q0h5fypkn838290

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnpx

SKILL.md

Strider Kroger Connector

MCP connector for shopping at Kroger — search products, clip digital coupons, manage cart, and order for pickup or delivery. Works with Kroger family stores (Ralphs, Fred Meyer, Fry's, King Soopers, etc.). Part of the Strider Labs action execution layer for AI agents.

Installation

npm install @striderlabs/mcp-kroger

MCP Configuration

Add to your MCP client configuration (Claude Desktop, Cursor, etc.):

{
  "mcpServers": {
    "kroger": {
      "command": "npx",
      "args": ["-y", "@striderlabs/mcp-kroger"]
    }
  }
}

Available Tools

kroger.search_products

Search Kroger's catalog by keyword, category, or brand.

Input Schema:

{
  "query": "string (search terms)",
  "category": "string (optional: produce, dairy, meat, etc.)",
  "store_id": "string (optional: for local pricing/inventory)",
  "brand": "string (optional: filter by brand)"
}

Output:

{
  "products": [{
    "id": "string",
    "name": "string",
    "price": "number",
    "sale_price": "number (if on sale)",
    "coupon_available": "boolean",
    "in_stock": "boolean",
    "aisle": "string (store location)"
  }]
}

kroger.add_to_cart

Add products to shopping cart with specified quantity.

kroger.get_coupons

Get available digital coupons for your account.

Output:

{
  "coupons": [{
    "id": "string",
    "title": "string",
    "discount": "string",
    "min_purchase": "number",
    "expires": "string (ISO date)"
  }]
}

kroger.clip_coupon

Clip a digital coupon to your Kroger Plus card.

kroger.checkout

Complete purchase with saved payment method.

Input Schema:

{
  "fulfillment_type": "string (pickup, delivery)",
  "store_id": "string (for pickup)",
  "delivery_address": "object (for delivery)",
  "time_slot": "string (ISO datetime)"
}

kroger.find_stores

Find nearby Kroger family stores by location.

Authentication

First use triggers OAuth authorization flow. Works with Kroger Plus card for savings. Tokens stored encrypted per-user.

Usage Examples

Weekly grocery order:

Order groceries from Kroger: milk, eggs, bread, bananas, chicken breasts, and broccoli

Coupon hunting:

Show me available Kroger digital coupons and clip any good ones for products on my shopping list

Pickup scheduling:

Schedule a Kroger pickup for Saturday morning with my weekly essentials

Error Handling

CodeMeaningAction
AUTH_EXPIREDSession expiredRe-authenticate
OUT_OF_STOCKItem unavailableSuggest alternatives
SLOT_UNAVAILABLETime slot takenOffer alternative times
COUPON_EXPIREDCoupon no longer validRemove from cart

Use Cases

  • Weekly grocery shopping: automate recurring orders
  • Coupon optimization: maximize savings with digital coupons
  • Meal planning: order ingredients for weekly meal prep
  • Pickup scheduling: coordinate convenient pickup times

Kroger Family Stores

This connector works with all Kroger-owned chains:

  • Kroger, Ralphs, Fred Meyer, Fry's, King Soopers
  • Smith's, QFC, Dillons, Harris Teeter, and more

Links

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…