Food Order
SuspiciousAudited by ClawScan on May 1, 2026.
Overview
Review before installing: the skill is coherent, but it uses a Foodora login or browser session and an external unpinned CLI that can place real orders after confirmation.
Only install this if you trust and have reviewed ordercli. Use a dedicated browser profile or throwaway config where possible, and never approve `--confirm` until you have checked the order details, address, and price.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool may gain access to Foodora account data such as prior orders, addresses, active orders, and the ability to place orders.
The skill instructs the agent/user to authenticate to Foodora using either a password flow or a local Chrome session profile, giving ordercli account-level access.
Login (password): `ordercli foodora login --email you@example.com --password-stdin` Login (no password, preferred): `ordercli foodora session chrome --url https://www.foodora.at/ --profile "Default"`
Use only an account and browser profile you intend to expose to ordercli, and avoid entering credentials unless you trust the ordercli tool and have reviewed the exact command.
If the confirmation step is mishandled, the user could place an unintended food order or use the wrong address.
The documented command can change the cart or place a real reorder, but the skill also explicitly requires user confirmation first.
Place reorder (cart change; explicit confirmation required) - Confirm first, then run: `ordercli foodora reorder <orderCode> --confirm`
Before approving `--confirm`, verify restaurant, items, quantity, total cost, delivery address, and that the user has explicitly said to place the order.
Installing a moving latest version means the reviewed instructions do not identify the exact code that will handle Foodora credentials and order actions.
The skill references installing an external CLI with an unpinned `@latest` version, and that CLI is then used for login/session handling and order placement.
"module":"github.com/steipete/ordercli/cmd/ordercli@latest","bins":["ordercli"],"label":"Install ordercli (go)"
Verify the ordercli project and consider pinning a specific reviewed version before using it with Foodora credentials or browser sessions.