← Back to Skills Marketplace
Supermarket
by
Ryan William Niemes
· GitHub ↗
· v1.1.0
523
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install supermarket
Description
Search grocery products, find store locations, add items to cart, and view profile across all Kroger-family stores — Kroger, Ralphs, Fred Meyer, Harris Teete...
Usage Guidance
This skill is internally consistent: the code implements the described Kroger client and a hosted OAuth proxy whose server-side secrets are kept off the agent. The main risk is trusting the hosted proxy at us-central1-krocli.cloudfunctions.net because it holds the Kroger client_id/secret and handles exchanging/refreshing user tokens. If you don't fully trust that remote service, either: (1) self-host the provided Firebase Cloud Functions (source is bundled) and deploy them to your own project so you control the secrets, or (2) use your own Kroger developer credentials via the CLI's local mode (instructions in README). Also review the SKILL.md fully (scanner flagged a base64 block) and double-check that the login link behavior suits you. Note that the CLI may store credentials and optional Telegram tokens under ~/.config/krocli — don't provide Telegram or other tokens unless you trust the destination.
Capability Analysis
Type: OpenClaw Skill
Name: supermarket
Version: 1.1.0
The OpenClaw AgentSkills skill bundle for 'supermarket' is classified as benign. The skill's documentation (`SKILL.md`) and Go/TypeScript source code demonstrate a strong focus on transparency and security. User tokens are handled securely via OS keyring locally or are temporarily stored and immediately deleted by the hosted OAuth proxy (`firebase/functions/src/tokenUser.ts`). All external network communications are directed to the legitimate Kroger API or the documented hosted proxy (`us-central1-krocli.cloudfunctions.net`). While the CLI includes a feature to send login links via Telegram, this is not exposed as an agent instruction in `SKILL.md` and is not used for data exfiltration. No evidence of intentional harmful behavior, obfuscation, or direct prompt injection attempts against the agent was found.
Capability Assessment
Purpose & Capability
The name/description (product search, locations, cart, profile) match the included code: a CLI and Firebase Cloud Functions that implement client_token and user_token flows, product/location endpoints, and cart/profile calls. No unrelated services or credentials are requested in the skill metadata.
Instruction Scope
SKILL.md instructs the agent to use a hosted OAuth proxy endpoints (authorize, tokenClient, tokenUser, tokenRefresh) and to generate session IDs and present a login link for the browser-based OAuth flow. These instructions stay within the stated purpose. The SKILL.md explicitly says the proxy holds client_id/client_secret and that tokens are deleted after retrieval; that behavior is implemented in the provided proxy source. A prompt-injection pattern (base64-block) was detected in SKILL.md — review that section in full to confirm it isn't trying to encode hidden instructions or data (scanner found a base64 block, which often is benign but worth eyeballing).
Install Mechanism
There is no install spec (instruction-only skill for runtime); source code is bundled but nothing in the skill will automatically download or execute external binaries. The presence of Firebase function source and a Go CLI is consistent with the documented self-hosting option; no high-risk install URLs or archive extraction are present.
Credentials
The skill declares no required environment variables for agent runtime. The bundled proxy code expects server-side secrets (KROGER_CLIENT_ID and KROGER_CLIENT_SECRET) for the hosted Cloud Functions — this is appropriate for an OAuth proxy, but it means you must trust the operator of us-central1-krocli.cloudfunctions.net. The CLI optionally uses OPENCLAW_BOT_TOKEN / OPENCLAW_CHAT_ID (Telegram) or stores Telegram/credentials locally under ~/.config/krocli; that is proportional to the advertised telegram 'send login link' feature.
Persistence & Privilege
Skill is not force-included (always: false) and uses normal agent invocation. The CLI code writes user credentials/telegram config to ~/.config/krocli and the proxy writes temporary session documents to Firestore — these are reasonable for the feature set. The tokenUser function deletes the Firestore session after returning tokens, and sessions have a 5-minute TTL as described.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install supermarket - After installation, invoke the skill by name or use
/supermarket - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Add proxy transparency docs, token persistence across sessions, self-hosting instructions, and krocli CLI alternative
v1.0.0
Initial release: Kroger-family grocery search, store locations, cart, and profile
Metadata
Frequently Asked Questions
What is Supermarket?
Search grocery products, find store locations, add items to cart, and view profile across all Kroger-family stores — Kroger, Ralphs, Fred Meyer, Harris Teete... It is an AI Agent Skill for Claude Code / OpenClaw, with 523 downloads so far.
How do I install Supermarket?
Run "/install supermarket" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Supermarket free?
Yes, Supermarket is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Supermarket support?
Supermarket is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Supermarket?
It is built and maintained by Ryan William Niemes (@niemesrw); the current version is v1.1.0.
More Skills