Safety Report

Picnic Grocery

Name: Picnic Grocery
Author: mpociot

@mpociot

Order groceries from Picnic supermarket - search products, manage cart, schedule delivery.

1,630Downloads

0Installs

0Stars

1Versions

Workflow Automation3,323 Search & Retrieval2,116 E-Commerce1,690 Calendar & Scheduling1,462

Security Analysis

high confidence

Clean0.08 risk

The skill's files, instructions, and requirements are internally consistent with a Picnic supermarket CLI: it installs a picnic-api npm dependency, stores a local authKey in ~/.config/picnic/config.json, and exposes commands to search/manage a cart and view delivery slots.

Feb 11, 20265 files2 concerns

Purpose & Capabilityok

Name/description match the actual code and SKILL.md. The CLI wraps the 'picnic-api' npm package to search products, manage cart, and check deliveries — these capabilities align with the stated purpose. Required artifacts (login, authKey storage) are expected for such a service.

Instruction Scopenote

SKILL.md tells the agent to run npm install and node picnic-cli.mjs commands and references only the Picnic-related config file (~/.config/picnic/config.json). This stays within the grocery-ordering scope. One privacy note: the login flow returns and saves an authKey and, in the 2FA path, the CLI outputs the authKey in JSON — that could leak credentials to logs if not handled carefully. A debug file (debug.mjs) is included and reads the same config and calls getDelivery with a hardcoded id; it appears benign but indicates the repo includes a debugging helper.

Install Mechanismnote

There is no platform install spec, but SKILL.md instructs the user to run 'npm install' which will fetch 'picnic-api' (and its dependencies) from the public npm registry. That is standard for Node projects but does entail pulling third-party code at install time (moderate risk compared with an instruction-only skill).

Credentialsok

The skill requests no environment variables and its only persistent data is a local config file containing an authKey and countryCode under ~/.config/picnic/config.json. Requesting user email/password for login is necessary for its function. There are no unrelated credentials requested.

Persistence & Privilegeok

The skill writes only to its own config path (~/.config/picnic/) and does not request always:true or modify other skills/system-wide settings. Creating and reading that config file is appropriate for a CLI that stores an auth token.

Guidance

This skill is coherent with its stated purpose, but review and accept these facts before installing: - Installation uses 'npm install' and will fetch the 'picnic-api' package (and transitive dependencies) from the public npm registry — verify you trust that package and version. - You will need to provide your Picnic email/password (and 2FA if enabled). The CLI stores an authKey in ~/.config/picnic/config.json (file permission set to 600) — treat that file as sensitive. - The login flow may print the authKey in JSON when 2FA is required; avoid sharing CLI output or logs that might contain that token. - A debug helper (debug.mjs) is included and reads the same config/authKey; if you don't need it you can ignore or remove it. If you trust the author and the 'picnic-api' package, the skill is reasonable to use. If you don't trust the source (owner unknown), verify the npm dependency and inspector-review the code before supplying real credentials.

Latest Release

v1.0.0

Initial release - search products, manage cart, schedule delivery from Picnic supermarket

More by @mpociot

SuperDesign

94 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Published by @mpociot on ClawHub