Bring! Shopping Lists
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims—manage a Bring! shopping list—but users should know it needs Bring account credentials and can change the default list.
This skill looks reasonable for managing a Bring! shopping list. Before installing, be comfortable storing your Bring email and password for agent use, and remember that the agent can add, remove, or complete items on your default Bring list when it interprets a shopping-list request.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill must provide Bring account credentials, allowing the skill to read and modify the default Bring shopping list.
The code uses the user's Bring email and password to authenticate to the Bring account. This is necessary for the stated shopping-list integration and is disclosed, but it is still sensitive account access.
EMAIL = os.environ["BRING_EMAIL"] PASSWORD = os.environ["BRING_PASSWORD"] ... bring = Bring(session, EMAIL, PASSWORD) await bring.login()
Use a dedicated Bring password if available, store the credentials carefully, and only install the skill if you are comfortable giving it access to your Bring shopping list.
A mistaken interpretation of a grocery request could modify the shopping list before the user notices.
The skill instructs the agent to execute commands that can add, remove, or complete shopping-list items, with confirmation after the action rather than a required pre-action approval step.
Run the appropriate CLI command 3. Confirm the action naturally
For remove or complete requests, verify that the agent understood the intended items, especially if the request is ambiguous.
Future installs may pull whatever package versions are current at the time, so behavior can depend on third-party package availability and integrity.
The skill depends on external Python packages without pinned versions. The README also states it uses the unofficial bring-api package, which is expected for this integration but is still a supply-chain consideration.
bring-api python-dotenv
If you want stronger reproducibility, pin dependency versions and review the bring-api package before use.