ordercli

[Skill Scanner] Backtick command substitution detected Based on the provided README/manifest, the tool's capabilities and inputs are coherent with its stated purpose (managing Foodora/Deliveroo orders). The most sensitive features are cookie and browser-profile import and 'no password' session import, which legitimately allow session reuse and bypassing bot protection but also present a high-risk surface for credential exposure or unintended account access if the binary or repository is not trusted. There are no explicit signs of malicious intent in the documentation (no obfuscation, no suspicious external endpoints). Final recommendation: treat this as functionally legitimate but sensitive — review the repository/binary before installing or avoid pointing it at arbitrary browser profiles; do not use on untrusted machines or with profiles containing unrelated accounts. LLM verification: Given only the SKILL.md content, the skill’s requested capabilities (reading cookies, browser profile, accepting bearer tokens/env vars, password via stdin) are consistent with a tool meant to bypass bot protections and manage sessions for Foodora/Deliveroo. Those capabilities, however, are inherently high-risk because they grant access to sensitive credentials and local browser data. No explicit malicious indicators (hardcoded keys, obfuscated code, unknown download URLs, or third-party proxy d