Picnic Groceries: why it is not safe to use
Picnic Groceries passed most checks, but it needs your full Picnic login, can place real orders, and caches a session token in plaintext locally.
What we found
The mcp-picnic skill (ivo-toby/mcp-picnic) came back clean on most of our checks. We saw no prompt injection or hidden directives, no third-party data exfiltration, no hardcoded secrets, no shell or filesystem commands, and no obfuscation. Outbound traffic stays within Picnic's own regional API, chosen by PICNIC_COUNTRY_CODE, and the server runs as a non-root user in Docker.
One check raised a caution flag. The skill asks for your Picnic account username and password as environment variables rather than a scoped API token. With those credentials it can read your payment profile and wallet transactions and place or cancel real grocery orders. After login, the session token (not your password) is cached in plaintext at ~/.picnic-session.json, so anyone who can read that file could reuse your session.
None of this looks malicious. It is the access the skill needs to do its job. Our concern is the breadth of that access paired with plaintext local storage.
What to do instead
If you use it, run it inside the provided Docker setup on a device you control, and treat ~/.picnic-session.json like a credential: tighten its file permissions and keep it out of backups and cloud sync. Consider a secondary Picnic account to limit exposure of your main payment profile. When you are done, log out and delete the cached session file to end access.
Source: https://github.com/ivo-toby/mcp-picnic
We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.