← Back to Skills Marketplace
kroger
by
Tongyan Li
· GitHub ↗
· v1.0.0
730
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install kroger
Description
Search Kroger products and add items to a Kroger cart via the Kroger API. Use when a user asks to find groceries, add items to their Kroger cart, look up Kro...
README (SKILL.md)
Kroger
Search products, add to cart, and find store locations via the Kroger public API.
Prerequisites
- Kroger developer account at https://developer.kroger.com
- Registered application with Product and Cart API access
- OAuth redirect URI configured in the Kroger app settings
Environment Variables
Set these before using:
export KROGER_CLIENT_ID="your-client-id"
export KROGER_CLIENT_SECRET="your-client-secret"
Optional:
KROGER_TOKEN_FILE— token storage path (default:~/.kroger-tokens.json)KROGER_REDIRECT_URI— OAuth callback URL (default:http://localhost:8888/callback)KROGER_LOCATION_ID— store ID for location-specific product availability
Setup (One-Time)
1. Register a Kroger Developer App
- Go to https://developer.kroger.com
- Create an application
- Enable Product and Cart scopes
- Set redirect URI to
http://localhost:8888/callback - Note Client ID and Client Secret
2. Authenticate
Run the auth flow — opens a browser for Kroger login:
scripts/kroger.sh auth
If the redirect URI isn't localhost (e.g., cloud-hosted), use the manual flow:
- Open the
AUTH_URLprinted byscripts/kroger.sh auth - Log in at Kroger
- Copy the redirected URL (even if the page errors)
- Extract the
codeparameter and run:
scripts/kroger.sh exchange \x3Ccode>
Tokens auto-refresh. Re-auth only needed if refresh token expires.
Actions
Search products
scripts/kroger.sh search "cannellini beans"
Returns up to 5 results with product IDs, descriptions, and brands.
Add to cart
scripts/kroger.sh add \x3CproductId> [quantity]
Requires prior OAuth login. Quantity defaults to 1.
Find nearby stores
scripts/kroger.sh locations \x3Czipcode>
Returns up to 5 stores with location IDs. Set KROGER_LOCATION_ID to filter product search by store.
Check auth status
scripts/kroger.sh token
Workflow: Grocery List → Cart
Typical flow for adding a grocery list to Kroger:
- Search each item:
scripts/kroger.sh search "\x3Citem>" - Pick the best match from results
- Add to cart:
scripts/kroger.sh add \x3CproductId> \x3Cqty> - Repeat for all items
When adding many items, batch all searches first, then confirm selections with the user, then add all to cart.
Usage Guidance
This script mostly does what it claims (calls Kroger's public API and manages OAuth tokens) but the registry metadata failed to list required secrets. Before installing: (1) verify the publisher/source and inspect the script yourself; (2) be prepared to provide KROGER_CLIENT_ID and KROGER_CLIENT_SECRET — keep them secret and store them in a restricted environment; (3) decide where tokens should be stored (default is ~/.kroger-tokens.json) and consider using a secure location; (4) note the script will optionally open a localhost listener to capture the OAuth code—run that on a trusted machine and port; (5) be aware of a small bug: the script uses TOKEN_FILE inside embedded Python but does not export it, so you may need to set/export KROGER_TOKEN_FILE or patch the script; and (6) run the script in a least-privileged account or sandbox if you have any doubt.
Capability Analysis
Type: OpenClaw Skill
Name: kroger
Version: 1.0.0
The `scripts/kroger.sh` file contains several injection vulnerabilities. Specifically, the `cmd_add` function directly interpolates user-controlled `product_id` and `qty` into a JSON payload without proper escaping, making it vulnerable to JSON injection. Additionally, the `cmd_exchange` function directly uses the `$code` parameter in a `curl -d` argument, which could lead to shell injection if the code contains special characters. These are critical vulnerabilities, but there is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation.
Capability Assessment
Purpose & Capability
The name/description match the code: the script calls api.kroger.com for product search, locations, and cart operations. However the registry metadata claims no required environment variables or primary credential, while the script and SKILL.md clearly require KROGER_CLIENT_ID and KROGER_CLIENT_SECRET (and optionally a token file). This metadata omission is an incoherence.
Instruction Scope
SKILL.md and the script limit actions to Kroger's API and a local token file. The runtime instructions start a localhost HTTP listener to capture an OAuth code (when redirect_uri points to localhost) and write tokens to a file under the user's home by default; both are expected for an OAuth-based CLI but worth noting because they touch local files and open a local port temporarily.
Install Mechanism
This is instruction-only plus a shell script; there is no installer or remote download. No additional packages are pulled at install time. Risk from install mechanism is low.
Credentials
The skill requires sensitive credentials (KROGER_CLIENT_ID and KROGER_CLIENT_SECRET) to operate, and it stores user tokens in a file (default ~/.kroger-tokens.json). The registry metadata does not declare these required env vars or a primary credential, which is inconsistent and could mislead users. The script also expects TOKEN_FILE to be available to embedded Python code via environment, but the bash variable TOKEN_FILE is not exported (a bug).
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It writes/reads a token file in the user's home directory (normal for an OAuth CLI). No elevated privileges are requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install kroger - After installation, invoke the skill by name or use
/kroger - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release: Search Kroger products, add items to Kroger cart, and look up store locations via the Kroger API.
- Supports product search, cart management, and store lookup by zip code.
- Includes setup instructions for Kroger API credentials and OAuth authentication.
- Provides CLI scripts for searching products, adding to cart, finding stores, and checking authentication status.
- Environment variables allow for customization of API credentials and default store location.
Metadata
Frequently Asked Questions
What is kroger?
Search Kroger products and add items to a Kroger cart via the Kroger API. Use when a user asks to find groceries, add items to their Kroger cart, look up Kro... It is an AI Agent Skill for Claude Code / OpenClaw, with 730 downloads so far.
How do I install kroger?
Run "/install kroger" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is kroger free?
Yes, kroger is completely free (open-source). You can download, install and use it at no cost.
Which platforms does kroger support?
kroger is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created kroger?
It is built and maintained by Tongyan Li (@tongyanli-hash); the current version is v1.0.0.
More Skills