The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructs users to manually extract high-entropy session credentials (VtexIdclientAutCookie_zonasul JWT and orderFormId) from their browser and provide them to the CLI. Handling raw session tokens in this manner increases the risk of credential leakage through agent logs or process environments.
[CREDENTIALS_UNSAFE]: The checkout workflow explicitly encourages passing the credit card CVV via the --cvv command-line flag. Secrets passed as CLI arguments are insecure as they are typically recorded in the user's shell history (e.g., .bash_history) and are visible to other users/processes in the system's process table.
[COMMAND_EXECUTION]: The skill requires building a binary from source (make build) and executing it. This grants the skill full shell access via the Bash tool. While targeting a legitimate domain (zonasul.com.br), the execution of an unverified local binary that handles both session tokens and credit card details represents a significant security surface.
[DATA_EXFILTRATION]: While the skill targets legitimate Brazilian e-commerce domains, the combination of high-value credential handling (JWTs and CVVs) and arbitrary network access through the custom CLI tool creates a potential vector for data exfiltration if the underlying CLI code is compromised or malicious.

zonasul-groceries