ordercli
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
orderclibinary from an unverified GitHub repository (steipete/ordercli) via Homebrew or Go. This source is not recognized as a trusted organization or well-known service.\n- [COMMAND_EXECUTION]: The skill facilitates the execution of system commands using theorderclitool, which performs actions with real-world financial implications, such as placing and confirming food orders.\n- [CREDENTIALS_UNSAFE]: The documentation provides examples for handling highly sensitive authentication data, including user passwords via standard input and bearer tokens for Deliveroo via environment variables.\n- [DATA_EXFILTRATION]: The skill includes instructions and commands to import sensitive browser data, such as Chrome cookies and session profiles, which are then processed by the unverified external binary.
Audit Metadata