Is jasonahorn/kroger-api-skill safe?

https://github.com/openclaw/skills/tree/main/skills/jasonahorn/kroger-api-skill

86
SAFE

The jasonahorn/kroger-api-skill is a well-structured, legitimate Kroger API integration with no evidence of prompt injection, malicious code, or credential exfiltration. The primary risks are operational rather than adversarial: the skill can place real, irreversible grocery pickup orders on the user's behalf without a mandatory per-order confirmation step, and OAuth tokens are persisted in a plain-text state.json file that any co-installed skill with filesystem access could read. No canary files were compromised and clone behavior was entirely expected.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

HIGH Real purchase order placement without per-order confirmation gate -20

The order-create command submits a live Kroger pickup order via authenticated API call. The documented agent workflow encourages the agent to autonomously search, cart, check availability, and create an order in a single conversation flow. There is no instruction to pause and obtain explicit per-order user approval before the irreversible order-create step, meaning a capable agent could complete a purchase without the user realizing.

MEDIUM OAuth credentials stored in plain-text state.json -20

The skill persists client_id, client_secret, access_token, and refresh_token in state.json inside the skill directory. Any other skill, process, or agent tool with read access to the filesystem can trivially read these credentials and use them to make authenticated Kroger API calls — including placing orders — on the user's behalf.

MEDIUM Stored OAuth tokens accessible to co-installed skills -15

Because state.json is stored in the skill directory with standard filesystem permissions and contains long-lived refresh tokens, any co-installed skill that gains filesystem read access can harvest these tokens and impersonate the user against Kroger's API indefinitely (until the user revokes the OAuth app).

LOW Executable Python script with live API side-effects -15

client.py is a functional Python script invoked directly by the agent via exec. It makes network requests to api.kroger.com and can modify external state (cart, orders, location). While appropriate for the skill's purpose, agents should be aware that every invocation of cart-add or order-create produces real side-effects.

LOW Agent autonomously selects UPCs and slots without per-item confirmation -8

SKILL.md instructs the agent to 'pick UPC (e.g. first result)' and proceed through the workflow autonomously. This is not a prompt injection attack but does mean an agent could add items or select pickup slots the user did not explicitly choose.

LOW grocery-list.txt read from current working directory -5

The grocery subcommand reads grocery-list.txt from os.getcwd(), not a fixed absolute path. If the agent's working directory is attacker-influenced, a malicious grocery-list.txt could inject arbitrary product search terms into the workflow.

INFO Install uses git sparse-checkout from public monorepo 0

Installation clones the openclaw/skills monorepo at depth 1, performs a sparse-checkout of the target subpath, copies files, and removes the clone. This is a standard install pattern with no anomalous behavior observed.

INFO Canary credential files accessed only by audit framework 0

Honeypot files (.env, id_rsa, .aws/credentials, etc.) were read twice — once during audit framework setup at 11:10:01 and once during teardown canary check at 11:10:25. No skill-initiated reads or writes to these files were detected. All canaries intact.