Security issue?

Hi – just received a very worrying e-mail from my pi that runs Raspbian & Kodi 17:

raspberrypi : Jun 6 18:55:14 : kodi : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/kodi ; USER=root ; COMMAND=/bin/grep -E ^pi: /etc/shadow

This smells bad because no application ever should need to execute grep for passwords, that’s not the way Linux authentication works, anything legit uses PAM. Sudo grep on shadow looks even worse.

I did a quick grep for sudo|grep|shadow in /home/kodi, nothing there, it’s either obfuscated or part of kodi itself?

Kodi is Version: 2:17.3-1~jessie from the raspbian repo, with a million plugins, but not running as root thank $deity