Manage grocery and shopping lists via AnyList. Use when user asks about shopping lists, groceries, or adding/checking off items to buy.
Security Analysis
medium confidenceThe skill's description matches AnyList CLI usage, but the runtime instructions reference credentials (ANYLIST_EMAIL / ANYLIST_PASSWORD) and an npm package install even though the skill metadata declares no required credentials or install — this mismatch is unresolved and should be clarified before trusting the skill.
Name and description (manage AnyList shopping lists) align with the instructions which show CLI commands (lists, items, add, check, etc.). The declared metadata bin 'anylist' is consistent with an anylist CLI binary.
SKILL.md instructs the agent/user to run an external CLI (anylist) and to authenticate (either interactively via 'anylist auth' or via env vars). The instructions do not ask the agent to read unrelated system files, but they do reference environment variables (ANYLIST_EMAIL, ANYLIST_PASSWORD) that are not declared in the skill's metadata — the agent could be asked to use or access credentials not announced by the skill manifest.
There is no install spec in the registry (instruction-only), but SKILL.md recommends npm install -g anylist-cli. Using an npm package is a normal approach, but the registry didn't declare an install step or vet the package. This is moderate-risk compared with a bundled or well-known release; verify the npm package and its publisher before installing.
The runtime instructions suggest using ANYLIST_EMAIL and ANYLIST_PASSWORD for non-interactive auth, but the skill manifest lists no required env vars or primary credential. Requesting an email/password (especially a password env var) is plausible for a CLI client, but the lack of declared credentials in metadata is an inconsistency and storing passwords in plain env vars is a privacy risk — a token-based auth would be preferable.
always is false and there are no install steps that modify other skills or system-wide settings. The skill is instruction-only and does not request persistent placement or elevated privileges in the manifest.
Guidance
This skill appears to be a wrapper around an AnyList CLI, which is reasonable for managing shopping lists — but there are a couple of things to check before installing or using it: 1) Metadata mismatch: the SKILL.md tells you to authenticate non-interactively using ANYLIST_EMAIL and ANYLIST_PASSWORD, yet the skill manifest does not declare any required credentials. Ask the publisher to declare these env vars (or better, a token) in the manifest. 2) Verify the npm package: the instructions recommend 'npm install -g anylist-cli'; confirm the package name, publisher, and source on npm (and prefer an official package) before installing. 3) Avoid storing plaintext passwords in environment variables if possible — prefer API tokens or OAuth. 4) If you intend the agent to run this autonomously, be cautious about granting it access to environment variables or secrets on the host; ensure the agent runtime limits which env vars the skill can access. If the publisher cannot justify the missing credential declarations or provide a safer auth method, treat the skill as untrusted.
Latest Release
v0.1.0
Initial release
More by @mjrussell
Published by @mjrussell on ClawHub
