ordercli
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's metadata specifies the installation of a binary from a third-party source not listed as a trusted organization. It uses Homebrew (steipete/tap/ordercli) and Go (github.com/steipete/ordercli/cmd/ordercli@latest) to fetch the executable.
- [COMMAND_EXECUTION]: The skill is entirely built around the execution of the external
orderclibinary. This allows the tool to run arbitrary code from an unverified source on the local system. - [CREDENTIALS_UNSAFE]: The skill's instructions guide the user and the agent to handle sensitive credentials in potentially unsafe ways. This includes passing passwords via standard input (
--password-stdin), extracting cookies from browser profiles (ordercli foodora cookies chrome), and utilizing environment variables for authentication tokens (DELIVEROO_BEARER_TOKEN). Accessing browser cookies and profiles directly increases the risk of credential exposure.
Recommendations
- AI detected serious security threats
Audit Metadata