Is ordercli safe?

https://clawhub.ai/steipete/ordercli

82
SAFE

ordercli is a lightweight CLI wrapper skill for food delivery order management. The SKILL.md contains no prompt injection, hidden instructions, or malicious code. The primary risks are credential handling (password piping, cookie import, bearer tokens) inherent to the tool's authentication design, financial transaction potential via the reorder --confirm command, and reliance on a third-party binary whose security is outside the skill's scope. Clone-time monitoring showed zero suspicious activity.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (9)

MEDIUM Credential piping via --password-stdin -10

The skill instructs login with --password-stdin, which means the agent could be prompted to pipe a user's password directly into the CLI. While this is standard CLI practice, in an agent context it means the LLM handles plaintext credentials.

MEDIUM Browser cookie and session extraction -12

The skill documents commands to import Chrome cookies and browser sessions, giving the agent instructions to access sensitive browser authentication state. This data could be leaked if combined with other skills or prompt injection.

LOW Bearer token environment variable -6

The skill references DELIVEROO_BEARER_TOKEN as an environment variable. An agent could be prompted to read or display this token value.

MEDIUM External binary installation from third-party tap -15

The skill's install metadata directs installation of a Go binary from steipete/tap/ordercli (Homebrew) or github.com/steipete/ordercli (go install). The security of the installed binary is outside the scope of SKILL.md review — a compromised binary could do anything.

LOW Browser process spawning via --browser flag -7

The --browser flag launches a real browser for Cloudflare bypass, which expands the attack surface by spawning an additional process with network access.

MEDIUM Financial transaction risk via reorder --confirm -20

The reorder command with --confirm can trigger real financial transactions (adding items to cart and potentially completing orders). An agent acting autonomously could place unwanted orders. The skill does include a safeguard note about confirming first.

LOW Session data accessible to other skills -15

If other skills are installed alongside ordercli, they could potentially access cached session tokens or config files written by ordercli to known paths.

INFO Homepage URL is informational only -5

The homepage URL https://ordercli.sh is listed in metadata but is not referenced as something the agent should fetch or navigate to. No injection risk.

INFO Install metadata uses standard package managers -5

The install instructions use brew and go install, which are standard and expected. No curl-pipe-bash or other risky install patterns.