Food Order
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: food-order Version: 1.0.0 The skill bundle instructs the agent to install and use the `ordercli` tool. While the `SKILL.md` includes explicit safety instructions to prevent unauthorized order confirmation, it also directs the agent to use `ordercli foodora session chrome --profile "Default"` for login. This command interacts with browser profiles, which is a high-risk capability that could be leveraged for sensitive data access or exfiltration if the `ordercli` binary itself were compromised or misused, even if the stated intent in `SKILL.md` is for legitimate login.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool may gain access to Foodora account data such as prior orders, addresses, active orders, and the ability to place orders.
The skill instructs the agent/user to authenticate to Foodora using either a password flow or a local Chrome session profile, giving ordercli account-level access.
Login (password): `ordercli foodora login --email you@example.com --password-stdin` Login (no password, preferred): `ordercli foodora session chrome --url https://www.foodora.at/ --profile "Default"`
Use only an account and browser profile you intend to expose to ordercli, and avoid entering credentials unless you trust the ordercli tool and have reviewed the exact command.
If the confirmation step is mishandled, the user could place an unintended food order or use the wrong address.
The documented command can change the cart or place a real reorder, but the skill also explicitly requires user confirmation first.
Place reorder (cart change; explicit confirmation required) - Confirm first, then run: `ordercli foodora reorder <orderCode> --confirm`
Before approving `--confirm`, verify restaurant, items, quantity, total cost, delivery address, and that the user has explicitly said to place the order.
Installing a moving latest version means the reviewed instructions do not identify the exact code that will handle Foodora credentials and order actions.
The skill references installing an external CLI with an unpinned `@latest` version, and that CLI is then used for login/session handling and order placement.
"module":"github.com/steipete/ordercli/cmd/ordercli@latest","bins":["ordercli"],"label":"Install ordercli (go)"
Verify the ordercli project and consider pinning a specific reviewed version before using it with Foodora credentials or browser sessions.