ClawHub

Food Order

Reorder Foodora orders + track ETA/status with ordercli. Never confirm without explicit user approval. Triggers: order food, reorder, track ETA.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
7 · 3.3k · 379 current installs · 388 all-time installs
byPeter Steinberger@steipete
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The goal (reorder Foodora orders and track ETA using ordercli) is coherent with the instructions. However, registry fields earlier stated 'no required binaries / env vars', while the SKILL.md metadata declares a required bin (ordercli) and an install via a Go module — this inconsistency should be resolved (either the skill really needs ordercli or the registry record is inaccurate).
!
Instruction Scope
SKILL.md instructs running ordercli commands that require account credentials (password via --password-stdin) or using 'ordercli session chrome --profile "Default"', which implies accessing the user's browser profile/session. The instructions also recommend writing config files (e.g., --config /tmp/ordercli.json). These actions involve sensitive data (passwords, browser cookies/profiles, local files) but the skill does not declare or justify how those will be provided or protected.
Install Mechanism
There is no install spec in the registry entry, yet the SKILL.md metadata includes an install entry installing ordercli from github.com/steipete/ordercli via Go modules. Installing a binary from a GitHub module is a common approach but carries the usual risk of executing third-party code; the install origin is a GitHub repo (not an untrusted paste/IP shortener), which is better than arbitrary downloads, but the registry/metadata mismatch is concerning and should be clarified.
!
Credentials
The skill did not declare required environment variables or credentials, but its usage clearly requires Foodora credentials or an authenticated browser session. The instructions suggest methods that access sensitive secrets (password via stdin) or local browser profiles; those are not reflected in requires.env and so the declared environment access is incomplete and disproportionate to what's documented.
Persistence & Privilege
always:false and normal agent invocation settings mean the skill is not force-included system-wide. The skill does instruct writing a config file if used (e.g., --config /tmp/ordercli.json), but it does not request persistent, elevated system-wide privileges or modifications to other skills.
What to consider before installing
This skill appears to do what it says (use ordercli to reorder and track Foodora orders) but has several red flags you should clear up before installing: - Confirm whether the skill actually requires the ordercli binary and whether the platform will install it; the registry entry and SKILL.md disagree. - Review the ordercli project (github.com/steipete/ordercli) to ensure you trust the source before allowing any install. Installing third-party CLI tools runs arbitrary code on your machine. - Be cautious about providing Foodora credentials or allowing access to your browser profile: the skill suggests both password-based login and using a Chrome profile, which can expose cookies/session tokens. Prefer using a throwaway account or manual login if testing. - Ensure the agent will always ask you before running any --confirm command (the SKILL.md explicitly says so — keep this enforced). Consider running the CLI yourself rather than granting the agent direct execution rights, or run it inside an isolated environment (VM/container) and use a throwaway account. If you still want to proceed, ask the skill author to fix the metadata to explicitly declare the required binaries and clearly state how credentials should be supplied and protected.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975acy4x4g5nhxe1g1yxqa36h7yk5d7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Food order (Foodora via ordercli)

Goal: reorder a previous Foodora order safely (preview first; confirm only on explicit user “yes/confirm/place the order”).

Hard safety rules

  • Never run ordercli foodora reorder ... --confirm unless user explicitly confirms placing the order.
  • Prefer preview-only steps first; show what will happen; ask for confirmation.
  • If user is unsure: stop at preview and ask questions.

Setup (once)

  • Country: ordercli foodora countriesordercli foodora config set --country AT
  • Login (password): ordercli foodora login --email you@example.com --password-stdin
  • Login (no password, preferred): ordercli foodora session chrome --url https://www.foodora.at/ --profile "Default"

Find what to reorder

  • Recent list: ordercli foodora history --limit 10
  • Details: ordercli foodora history show <orderCode>
  • If needed (machine-readable): ordercli foodora history show <orderCode> --json

Preview reorder (no cart changes)

  • ordercli foodora reorder <orderCode>

Place reorder (cart change; explicit confirmation required)

  • Confirm first, then run: ordercli foodora reorder <orderCode> --confirm
  • Multiple addresses? Ask user for the right --address-id (take from their Foodora account / prior order data) and run:
    • ordercli foodora reorder <orderCode> --confirm --address-id <id>

Track the order

  • ETA/status (active list): ordercli foodora orders
  • Live updates: ordercli foodora orders --watch
  • Single order detail: ordercli foodora order <orderCode>

Debug / safe testing

  • Use a throwaway config: ordercli --config /tmp/ordercli.json ...

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…