bring-shopping

[Skill Scanner] Installation of third-party script detected The skill's functionality aligns with requiring authenticated network access to Bring! lists. The main security concern is the use of an unofficial npm package that requires raw account credentials and lacks visibility around which endpoints receive those credentials. Without reviewing the actual package code and network behavior, this is a meaningful supply-chain risk: credentials could be misused if the package or its transitive dependencies are malicious or compromised. Recommend performing a source audit, verifying publisher provenance, monitoring outbound network traffic, and avoiding embedding passwords when a delegated authentication mechanism is available. LLM verification: Overall, the approach is functionally plausible for a CLI-based Bring! management tool but relies on an unofficial dependency that may introduce supply-chain risk. Credential handling via environment variables is common but requires careful secret hygiene to mitigate leakage in logs or config dumps. Recommend: (a) verify the bring-shopping package provenance, enable npm audit and integrity checks, (b) implement secret management with least-privilege access and avoid logging credentials, (c) add