ClawHub

kroger

Security checks across malware telemetry and agentic risk

Overview

This Kroger skill is mostly a legitimate grocery and cart helper, but its script has an unsafe input-handling bug that could let a crafted search term run local code.

Review the shell script before installing. Do not use it with untrusted pasted grocery lists or unusual search strings until the Python input handling is fixed, confirm every cart addition, and protect or revoke the Kroger OAuth token file when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents use of environment variables, token file storage, network calls, and shell scripts, but no explicit permission declarations or constraints are provided. That creates a transparency and governance gap: an agent may invoke credentialed network and file-writing behavior without the user or platform having a clear permission model for those sensitive capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The manifest frames the skill mainly as grocery search/cart/store lookup, but the documented behavior also includes OAuth login, authorization code exchange, token refresh, and token inspection. Undeclared authentication flows and credential handling are security-sensitive because they expand the trust boundary and can lead to token exposure, unintended login prompts, or agent actions that the user did not reasonably anticipate from the description.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation guidance is broad enough to match ordinary grocery-related requests, yet the skill can perform authenticated operations such as OAuth login and adding items to a cart. In context, over-broad triggering increases the chance that an agent invokes a credentialed commerce workflow when the user only wanted informational help, leading to unintended account actions or unnecessary exposure to auth flows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal