Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gno
v0.14.3Search local documents, files, notes, and knowledge bases. Index directories, search with BM25/vector/hybrid, get AI answers with citations. Use when user wants to search files, find documents, query notes, look up information in local folders, index a directory, set up document search, build a knowledge base, needs RAG/semantic search, or wants to start a local web UI for their docs.
⭐ 4· 3.2k·8 current·8 all-time
by@gmickel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose is local document search and integration with AI clients, which matches the instructions. However the SKILL.md assumes a 'gno' CLI and common Unix tools (jq, head, xargs, cut, etc.) will be available and runs commands like 'gno mcp install' that modify other application configs; yet the registry metadata lists no required binaries or install steps. That discrepancy (declaring no required binary while instructing heavy use of 'gno' and other CLI tools) is inconsistent and should be resolved before trusting the skill.
Instruction Scope
Instructions stay within the advertised domain (indexing/searching local files, starting a local web UI, installing MCP integration). They explicitly instruct reading arbitrary local folders (~/Documents, patterns), running pipelines that fetch document URIs and content, and show how to install an MCP server which modifies client config files. Those actions are expected for a local knowledge engine, but they grant broad read (and optionally write, if enabled) access to local data and to other applications' configurations — so review and user consent are important.
Install Mechanism
There is no install spec (instruction-only). That lowers disk-write risk from the skill bundle itself. However the SKILL.md assumes installation or presence of external binaries and model downloads (gno models pull), which the skill does not manage — another reason to verify the actual gno binary and its source on the host.
Credentials
The skill requests no environment variables or credentials in metadata, which is appropriate for an offline local indexer. The SKILL.md claims 'No cloud, no API keys.' It does reference remote docs (gno.sh) and model downloads, but does not demand secrets. This is proportional to its stated purpose.
Persistence & Privilege
always:false and autonomous invocation defaults are normal. The SKILL.md documents 'gno mcp install' and shows how to add GNO as an MCP server inside other client configs (e.g., Claude desktop). Running those commands can create persistent integration with other AI clients and can enable write-capable tools if the user chooses '--enable-write'. That persistence is not automatic in the skill bundle, but it's an important side effect to be aware of before running install steps.
What to consider before installing
This skill is instruction-only and intends to run the local 'gno' CLI to index and search your files. Before installing or invoking it: 1) Verify you actually have the 'gno' binary you trust (the SKILL.md assumes it exists, but the skill metadata did not declare it); 2) Understand running the commands will read arbitrary directories and files you add to collections (this is required for the skill to work); 3) Be cautious with 'gno mcp install' or any 'enable-write' flags — those modify other client configs (persistent integration) and can grant write capabilities; 4) Check any model-download steps (gno models pull) to ensure they come from trusted sources; 5) If you don't want the skill to change other apps, avoid running MCP install steps or granting write permissions. If the maintainer can clarify the expected required binaries and provide an official install source for the gno binary, that would raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk978c3yqytjx1jjz1thcsha805803gxd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.