Ordercli
WarnAudited by ClawScan on May 1, 2026.
Overview
The skill mostly matches a Foodora order CLI, but it asks to use browser sessions/cookies and includes a cart-changing reorder command beyond the checking-only description, so it should be reviewed before installation.
Before installing, verify the upstream ordercli source, avoid browser cookie/session import unless you are comfortable granting account access, and require explicit approval for every reorder or cart-changing command.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A browser session or token can grant access to the user's Foodora or Deliveroo account without re-entering a password.
These instructions direct use of local browser cookies, browser sessions, and bearer/cookie tokens for food-ordering account access; the artifact does not describe how that credential material is stored, limited, or cleaned up.
Import Chrome cookies: `ordercli foodora cookies chrome --profile "Default"`; Session import: `ordercli foodora session chrome --url https://www.foodora.at/ --profile "Default"`; Requires `DELIVEROO_BEARER_TOKEN` (optional `DELIVEROO_COOKIE`).
Only use these session/cookie import commands if you trust the installed CLI source; prefer a dedicated config/profile where possible and avoid importing broad browser credentials unless necessary.
The agent could be given access to a command that changes the user's Foodora cart, not just reads order information.
The short description frames the skill as read-only order checking, but the runtime instructions include a cart-changing reorder operation.
description: Foodora-only CLI for checking past orders and active order status ... Reorder (adds to cart) ... `ordercli foodora reorder <orderCode> --confirm`
Treat reorder commands as account-mutating actions and require explicit user approval immediately before any `--confirm` reorder or address-changing command.
The installed binary may change over time or differ by install method.
The skill depends on an externally installed CLI, and the Go install path uses an unpinned @latest version.
brew formula: steipete/tap/ordercli; go module: github.com/steipete/ordercli/cmd/ordercli@latest
Review the upstream project and consider pinning a known version before using it with account credentials or browser sessions.