← 返回 Skills 市场
tongyanli-hash

kroger

作者 Tongyan Li · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
730
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install kroger
功能描述
Search Kroger products and add items to a Kroger cart via the Kroger API. Use when a user asks to find groceries, add items to their Kroger cart, look up Kro...
使用说明 (SKILL.md)

Kroger

Search products, add to cart, and find store locations via the Kroger public API.

Prerequisites

  • Kroger developer account at https://developer.kroger.com
  • Registered application with Product and Cart API access
  • OAuth redirect URI configured in the Kroger app settings

Environment Variables

Set these before using:

export KROGER_CLIENT_ID="your-client-id"
export KROGER_CLIENT_SECRET="your-client-secret"

Optional:

  • KROGER_TOKEN_FILE — token storage path (default: ~/.kroger-tokens.json)
  • KROGER_REDIRECT_URI — OAuth callback URL (default: http://localhost:8888/callback)
  • KROGER_LOCATION_ID — store ID for location-specific product availability

Setup (One-Time)

1. Register a Kroger Developer App

  1. Go to https://developer.kroger.com
  2. Create an application
  3. Enable Product and Cart scopes
  4. Set redirect URI to http://localhost:8888/callback
  5. Note Client ID and Client Secret

2. Authenticate

Run the auth flow — opens a browser for Kroger login:

scripts/kroger.sh auth

If the redirect URI isn't localhost (e.g., cloud-hosted), use the manual flow:

  1. Open the AUTH_URL printed by scripts/kroger.sh auth
  2. Log in at Kroger
  3. Copy the redirected URL (even if the page errors)
  4. Extract the code parameter and run:
scripts/kroger.sh exchange \x3Ccode>

Tokens auto-refresh. Re-auth only needed if refresh token expires.

Actions

Search products

scripts/kroger.sh search "cannellini beans"

Returns up to 5 results with product IDs, descriptions, and brands.

Add to cart

scripts/kroger.sh add \x3CproductId> [quantity]

Requires prior OAuth login. Quantity defaults to 1.

Find nearby stores

scripts/kroger.sh locations \x3Czipcode>

Returns up to 5 stores with location IDs. Set KROGER_LOCATION_ID to filter product search by store.

Check auth status

scripts/kroger.sh token

Workflow: Grocery List → Cart

Typical flow for adding a grocery list to Kroger:

  1. Search each item: scripts/kroger.sh search "\x3Citem>"
  2. Pick the best match from results
  3. Add to cart: scripts/kroger.sh add \x3CproductId> \x3Cqty>
  4. Repeat for all items

When adding many items, batch all searches first, then confirm selections with the user, then add all to cart.

安全使用建议
This script mostly does what it claims (calls Kroger's public API and manages OAuth tokens) but the registry metadata failed to list required secrets. Before installing: (1) verify the publisher/source and inspect the script yourself; (2) be prepared to provide KROGER_CLIENT_ID and KROGER_CLIENT_SECRET — keep them secret and store them in a restricted environment; (3) decide where tokens should be stored (default is ~/.kroger-tokens.json) and consider using a secure location; (4) note the script will optionally open a localhost listener to capture the OAuth code—run that on a trusted machine and port; (5) be aware of a small bug: the script uses TOKEN_FILE inside embedded Python but does not export it, so you may need to set/export KROGER_TOKEN_FILE or patch the script; and (6) run the script in a least-privileged account or sandbox if you have any doubt.
功能分析
Type: OpenClaw Skill Name: kroger Version: 1.0.0 The `scripts/kroger.sh` file contains several injection vulnerabilities. Specifically, the `cmd_add` function directly interpolates user-controlled `product_id` and `qty` into a JSON payload without proper escaping, making it vulnerable to JSON injection. Additionally, the `cmd_exchange` function directly uses the `$code` parameter in a `curl -d` argument, which could lead to shell injection if the code contains special characters. These are critical vulnerabilities, but there is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation.
能力评估
Purpose & Capability
The name/description match the code: the script calls api.kroger.com for product search, locations, and cart operations. However the registry metadata claims no required environment variables or primary credential, while the script and SKILL.md clearly require KROGER_CLIENT_ID and KROGER_CLIENT_SECRET (and optionally a token file). This metadata omission is an incoherence.
Instruction Scope
SKILL.md and the script limit actions to Kroger's API and a local token file. The runtime instructions start a localhost HTTP listener to capture an OAuth code (when redirect_uri points to localhost) and write tokens to a file under the user's home by default; both are expected for an OAuth-based CLI but worth noting because they touch local files and open a local port temporarily.
Install Mechanism
This is instruction-only plus a shell script; there is no installer or remote download. No additional packages are pulled at install time. Risk from install mechanism is low.
Credentials
The skill requires sensitive credentials (KROGER_CLIENT_ID and KROGER_CLIENT_SECRET) to operate, and it stores user tokens in a file (default ~/.kroger-tokens.json). The registry metadata does not declare these required env vars or a primary credential, which is inconsistent and could mislead users. The script also expects TOKEN_FILE to be available to embedded Python code via environment, but the bash variable TOKEN_FILE is not exported (a bug).
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It writes/reads a token file in the user's home directory (normal for an OAuth CLI). No elevated privileges are requested.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install kroger
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /kroger 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release: Search Kroger products, add items to Kroger cart, and look up store locations via the Kroger API. - Supports product search, cart management, and store lookup by zip code. - Includes setup instructions for Kroger API credentials and OAuth authentication. - Provides CLI scripts for searching products, adding to cart, finding stores, and checking authentication status. - Environment variables allow for customization of API credentials and default store location.
元数据
Slug kroger
版本 1.0.0
许可证
累计安装 1
当前安装数 1
历史版本数 1
常见问题

kroger 是什么?

Search Kroger products and add items to a Kroger cart via the Kroger API. Use when a user asks to find groceries, add items to their Kroger cart, look up Kro... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 730 次。

如何安装 kroger?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install kroger」即可一键安装,无需额外配置。

kroger 是免费的吗?

是的,kroger 完全免费(开源免费),可自由下载、安装和使用。

kroger 支持哪些平台?

kroger 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 kroger?

由 Tongyan Li(@tongyanli-hash)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论