Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Grago
v1.0.1Delegate web and API data fetching to local LLMs for research tasks, saving tokens and keeping data private while using your local machine for analysis.
⭐ 0· 463·0 current·0 all-time
by@solsuk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (delegate web/API fetches to local LLMs) match the code and instructions: the scripts fetch URLs, read files, transform data, and send results to a local Ollama model. The installer pulls Ollama and a model as described. Requested capabilities are proportional to the declared purpose.
Instruction Scope
SKILL.md and grago.sh allow execution of arbitrary shell commands (cmd_pipe uses eval on fetch/transform commands; cmd_fetch and cmd_research run transforms via eval). The research flow can read arbitrary file paths from sources.yaml (cat $path). These behaviors are explicitly documented in SECURITY.md, but they mean the skill can access files and run commands beyond narrow fetch tasks — so it must only be used in trusted, single-user environments.
Install Mechanism
There is no packaged install spec in the registry, but install.sh runs an installer: on macOS it uses brew to install Ollama; on other OSes it runs curl -fsSL https://ollama.ai/install.sh | sh. Pulling models via ollama pull is expected. Using an official vendor URL (ollama.ai) is reasonable, but piping a remote install script to sh is higher-risk than packaged installs and should be inspected before running.
Credentials
The skill declares no required env vars or credentials, and the code does not require external secrets. However, sources.yaml examples in README show header values like Authorization: "Bearer ${API_KEY}", implying users may expose env-based secrets via sources config; the skill does not declare or manage those. The script reads arbitrary file paths and could expose local secrets if sources.yaml is used unsafely. This is consistent with the tool's purpose but worth caution.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. Installer writes to typical per-user locations (~/.grago, ~/.local/bin or /usr/local/bin) and copies SKILL.md into OpenClaw workspace if present. It does not modify other skills or global agent settings beyond installing its files.
Scan Findings in Context
[shell-eval-user-input] expected: grago.sh intentionally uses eval to run transform and fetch commands (e.g., eval "$transform", eval "$fetch_cmd"); SECURITY.md explicitly states this is by design. The scanner finding is correct and expected.
[arbitrary-file-read] expected: cmd_research supports type:file and reads paths via cat $path, allowing local file inclusion as part of research. This is necessary for local-log research use cases but means local secrets could be read if configured.
[prompt-injection-risk] expected: SKILL.md and SECURITY.md acknowledge prompt-injection risks: if the agent is compromised, Grago will execute arbitrary commands. This is an intended trade-off for the feature.
Assessment
Grago is coherent with its stated goal but deliberately runs arbitrary shell commands and can read local files — this makes it dangerous on shared or untrusted machines. Only install and run Grago on devices you fully control (personal Mac/VPS/workstation). Before installing: review install.sh (it may run ollama's remote install script), inspect grago.sh for eval usage, and ensure no sensitive files or credentials are reachable from sources.yaml or from commands you allow the agent to run. Do not use on multi-tenant systems, public-facing agents, or machines containing secrets you can't afford to expose. If you need narrower, safer behavior, prefer a tool that uses explicit, whitelisted HTTP calls rather than eval-ing shell commands.Like a lobster shell, security has layers — review code before you run it.
latestvk9705fxwbj5k2vevft11cfk79581tdj7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.