← 返回 Skills 市场
Supermarket
作者
Ryan William Niemes
· GitHub ↗
· v1.1.0
523
总下载
0
收藏
2
当前安装
2
版本数
在 OpenClaw 中安装
/install supermarket
功能描述
Search grocery products, find store locations, add items to cart, and view profile across all Kroger-family stores — Kroger, Ralphs, Fred Meyer, Harris Teete...
安全使用建议
This skill is internally consistent: the code implements the described Kroger client and a hosted OAuth proxy whose server-side secrets are kept off the agent. The main risk is trusting the hosted proxy at us-central1-krocli.cloudfunctions.net because it holds the Kroger client_id/secret and handles exchanging/refreshing user tokens. If you don't fully trust that remote service, either: (1) self-host the provided Firebase Cloud Functions (source is bundled) and deploy them to your own project so you control the secrets, or (2) use your own Kroger developer credentials via the CLI's local mode (instructions in README). Also review the SKILL.md fully (scanner flagged a base64 block) and double-check that the login link behavior suits you. Note that the CLI may store credentials and optional Telegram tokens under ~/.config/krocli — don't provide Telegram or other tokens unless you trust the destination.
功能分析
Type: OpenClaw Skill
Name: supermarket
Version: 1.1.0
The OpenClaw AgentSkills skill bundle for 'supermarket' is classified as benign. The skill's documentation (`SKILL.md`) and Go/TypeScript source code demonstrate a strong focus on transparency and security. User tokens are handled securely via OS keyring locally or are temporarily stored and immediately deleted by the hosted OAuth proxy (`firebase/functions/src/tokenUser.ts`). All external network communications are directed to the legitimate Kroger API or the documented hosted proxy (`us-central1-krocli.cloudfunctions.net`). While the CLI includes a feature to send login links via Telegram, this is not exposed as an agent instruction in `SKILL.md` and is not used for data exfiltration. No evidence of intentional harmful behavior, obfuscation, or direct prompt injection attempts against the agent was found.
能力评估
Purpose & Capability
The name/description (product search, locations, cart, profile) match the included code: a CLI and Firebase Cloud Functions that implement client_token and user_token flows, product/location endpoints, and cart/profile calls. No unrelated services or credentials are requested in the skill metadata.
Instruction Scope
SKILL.md instructs the agent to use a hosted OAuth proxy endpoints (authorize, tokenClient, tokenUser, tokenRefresh) and to generate session IDs and present a login link for the browser-based OAuth flow. These instructions stay within the stated purpose. The SKILL.md explicitly says the proxy holds client_id/client_secret and that tokens are deleted after retrieval; that behavior is implemented in the provided proxy source. A prompt-injection pattern (base64-block) was detected in SKILL.md — review that section in full to confirm it isn't trying to encode hidden instructions or data (scanner found a base64 block, which often is benign but worth eyeballing).
Install Mechanism
There is no install spec (instruction-only skill for runtime); source code is bundled but nothing in the skill will automatically download or execute external binaries. The presence of Firebase function source and a Go CLI is consistent with the documented self-hosting option; no high-risk install URLs or archive extraction are present.
Credentials
The skill declares no required environment variables for agent runtime. The bundled proxy code expects server-side secrets (KROGER_CLIENT_ID and KROGER_CLIENT_SECRET) for the hosted Cloud Functions — this is appropriate for an OAuth proxy, but it means you must trust the operator of us-central1-krocli.cloudfunctions.net. The CLI optionally uses OPENCLAW_BOT_TOKEN / OPENCLAW_CHAT_ID (Telegram) or stores Telegram/credentials locally under ~/.config/krocli; that is proportional to the advertised telegram 'send login link' feature.
Persistence & Privilege
Skill is not force-included (always: false) and uses normal agent invocation. The CLI code writes user credentials/telegram config to ~/.config/krocli and the proxy writes temporary session documents to Firestore — these are reasonable for the feature set. The tokenUser function deletes the Firestore session after returning tokens, and sessions have a 5-minute TTL as described.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install supermarket - 安装完成后,直接呼叫该 Skill 的名称或使用
/supermarket触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Add proxy transparency docs, token persistence across sessions, self-hosting instructions, and krocli CLI alternative
v1.0.0
Initial release: Kroger-family grocery search, store locations, cart, and profile
元数据
常见问题
Supermarket 是什么?
Search grocery products, find store locations, add items to cart, and view profile across all Kroger-family stores — Kroger, Ralphs, Fred Meyer, Harris Teete... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 523 次。
如何安装 Supermarket?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install supermarket」即可一键安装,无需额外配置。
Supermarket 是免费的吗?
是的,Supermarket 完全免费(开源免费),可自由下载、安装和使用。
Supermarket 支持哪些平台?
Supermarket 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Supermarket?
由 Ryan William Niemes(@niemesrw)开发并维护,当前版本 v1.1.0。
推荐 Skills