Safety Report

Apo Cli

Name: Apo Cli
Rating: 5 (4 reviews)
Author: Lars147

Search and order pharmacy products from apohealth.de via apo-cli. Use for medication search (by name or PZN), product details, category browsing, and cart management. Trigger when the user mentions Apotheke, pharmacy, Medikament, medication, PZN, apohealth, or health products.

787Downloads

0Installs

4Stars

2Versions

Workflow Automation3,323 Search & Retrieval2,116 CLI & Shell Tools1,805 E-Commerce1,690

Security Analysis

high confidence

Clean0.04 risk

The skill's code, instructions, and requested resources are coherent with its stated purpose (searching apohealth.de and building a cart); it stores cookies/cart locally but does not request unrelated credentials or perform unexpected network exfiltration.

Feb 11, 20266 files1 concern

Purpose & Capabilityok

Name/description (apo-cli for apohealth.de) match the included code (apo_cli.py) and README/RESEARCH documents. Required resources are minimal (no env vars, no external binaries) and consistent with a web-scraping/Shopify storefront client.

Instruction Scopeok

SKILL.md directs the agent to run the bundled apo_cli.py for search, product details, category browsing, and cart management. It explicitly forbids completing purchases and requires confirmation for destructive actions. The runtime instructions do not request unrelated files or credentials.

Install Mechanismok

This is instruction-only for the agent with bundled Python code; no install spec or remote downloads are present. The skill does write local files (cookie and cart JSON) in its own directory, which is expected for session management.

Credentialsnote

The skill requests no environment variables or external credentials. It persists cookies and a cart token to files in the skill directory (apo_cookies.json and apo_cart.json) — these may contain session identifiers and should be treated as sensitive. No unrelated credentials or external endpoints are used in the code.

Persistence & Privilegeok

always is false and there is no install-time hook that modifies other skills or global agent settings. The skill persists only its own cookie/cart files in its directory, which is normal for a CLI that manages sessions.

Guidance

This skill appears coherent and implements what it claims: a read/write client for apohealth.de that can add/remove items and build a cart. Before installing, note that it saves cookies and a cart token to local files in the skill directory (apo_cookies.json and apo_cart.json) — treat those as sensitive session data and remove them if you share the machine. The skill does POST requests to apohealth.de to add/update/clear cart items (expected behavior). Verify you are comfortable with the skill making network requests only to apohealth.de; if you need stronger isolation, run it in a sandbox/container or inspect the full apo_cli.py for any additional endpoints before use. Finally, the RESEARCH.md documents a publicly visible Shopify storefront token (found in site HTML in many Shopify stores); the code does not use private credentials and does not request any secrets.

Latest Release

v0.1.1

- Updated critical rules to require always providing the apohealth.de cart URL for users when interacting via chat. - Clarified that users cannot open a browser from the agent and must have a clickable link to access their cart. - Removed instruction to users to checkout via the CLI; emphasized user-driven checkout outside the agent. - No changes to CLI command usage, workflows, or setup steps.

More by @Lars147

Knuspr

0 stars

Cookidoo

0 stars

Mvg

0 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Published by @Lars147 on ClawHub