Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
kroger
v1.0.0Search Kroger products and add items to a Kroger cart via the Kroger API. Use when a user asks to find groceries, add items to their Kroger cart, look up Kro...
⭐ 0· 650·1 current·1 all-time
byTongyan Li@tongyanli-hash
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the code: the script calls api.kroger.com for product search, locations, and cart operations. However the registry metadata claims no required environment variables or primary credential, while the script and SKILL.md clearly require KROGER_CLIENT_ID and KROGER_CLIENT_SECRET (and optionally a token file). This metadata omission is an incoherence.
Instruction Scope
SKILL.md and the script limit actions to Kroger's API and a local token file. The runtime instructions start a localhost HTTP listener to capture an OAuth code (when redirect_uri points to localhost) and write tokens to a file under the user's home by default; both are expected for an OAuth-based CLI but worth noting because they touch local files and open a local port temporarily.
Install Mechanism
This is instruction-only plus a shell script; there is no installer or remote download. No additional packages are pulled at install time. Risk from install mechanism is low.
Credentials
The skill requires sensitive credentials (KROGER_CLIENT_ID and KROGER_CLIENT_SECRET) to operate, and it stores user tokens in a file (default ~/.kroger-tokens.json). The registry metadata does not declare these required env vars or a primary credential, which is inconsistent and could mislead users. The script also expects TOKEN_FILE to be available to embedded Python code via environment, but the bash variable TOKEN_FILE is not exported (a bug).
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It writes/reads a token file in the user's home directory (normal for an OAuth CLI). No elevated privileges are requested.
What to consider before installing
This script mostly does what it claims (calls Kroger's public API and manages OAuth tokens) but the registry metadata failed to list required secrets. Before installing: (1) verify the publisher/source and inspect the script yourself; (2) be prepared to provide KROGER_CLIENT_ID and KROGER_CLIENT_SECRET — keep them secret and store them in a restricted environment; (3) decide where tokens should be stored (default is ~/.kroger-tokens.json) and consider using a secure location; (4) note the script will optionally open a localhost listener to capture the OAuth code—run that on a trusted machine and port; (5) be aware of a small bug: the script uses TOKEN_FILE inside embedded Python but does not export it, so you may need to set/export KROGER_TOKEN_FILE or patch the script; and (6) run the script in a least-privileged account or sandbox if you have any doubt.Like a lobster shell, security has layers — review code before you run it.
latestvk977m6fam4v9takm4nvhsajgqh81ajmx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.