ClawHub

Grago

Security checks across malware telemetry and agentic risk

Overview

Grago is transparent about its purpose, but it gives an agent broad unsandboxed shell and file access on the user's machine.

Install only on a trusted personal machine, VM, or container where you are comfortable letting your OpenClaw agent run shell commands as your user. Do not use it on shared systems, public agent endpoints, or machines with sensitive files unless you add sandboxing and review sources.yaml files before use. Keep model endpoints local or otherwise trusted, and avoid putting long-lived secrets in configs or command strings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The script is presented as being for 'tool-less local models', but the analyze() function falls back to sending prompts and collected data to a configurable HTTP endpoint. This mismatch can cause users to provide sensitive local or fetched data under the false assumption it never leaves the machine, increasing the risk of unintentional data exposure.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The help text describes pipe as a simple fetch-transform-analyze workflow, but the implementation executes --fetch and --transform via eval. If a user passes untrusted input or assumes these options are declarative rather than shell-executed, arbitrary command execution can occur with the user's privileges.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented transform option is framed as data transformation, but in practice it runs arbitrary shell code. This is dangerous because users may treat transform expressions like harmless jq-style filters when they are actually command execution sinks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes fetching local files and using API credentials, but the privacy and secret-handling risks are underexplained relative to the power of the tool. In a skill that already admits arbitrary shell execution, encouraging access to file paths and bearer tokens increases the chance that prompt injection, misconfiguration, or overbroad agent instructions expose sensitive local data or credentials.

Missing User Warnings

High
Confidence
99% confidence
Finding
In cmd_fetch, the value supplied to --transform is executed with eval against fetched content. Any untrusted or mistakenly constructed transform string can execute arbitrary commands, and the feature is not labeled as shell execution, making accidental misuse more likely.

Missing User Warnings

High
Confidence
99% confidence
Finding
In research mode, per-source transforms from a YAML file are executed through eval. Because the transforms are data-driven and may come from shared source definitions, this creates a strong command-injection and arbitrary code execution risk with little user visibility.

Missing User Warnings

High
Confidence
99% confidence
Finding
The --fetch parameter in pipe mode is executed directly via eval, meaning the tool can run arbitrary shell commands rather than just retrieving data. Without explicit warning in the interface, users may unknowingly provide or reuse hostile command strings, resulting in full command execution.

Missing User Warnings

High
Confidence
99% confidence
Finding
The --transform option in pipe mode also uses eval, creating another arbitrary shell execution sink. Since the command is described as a transform step rather than shell execution, the skill context makes this more dangerous by encouraging use with piped or external data workflows where trust boundaries are often unclear.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Fetched web data and local file content are forwarded to a model endpoint, but the tool does not clearly disclose this transmission behavior to users. In this skill context, the tool aggregates multi-source research data, which may include sensitive internal files or proprietary material, so hidden transmission materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script downloads a remote installer from ollama.ai and immediately executes it via a shell pipeline. This is dangerous because any compromise of the remote host, TLS interception, or unexpected upstream script change results in arbitrary code execution on the user's machine during installation.

External Transmission

Medium
Category
Data Exfiltration
Content
- name: live_api
    type: api
    url: "https://api.example.com/v1/stats"
    headers:
      Authorization: "Bearer ${API_KEY}"
```
Confidence
89% confidence
Finding
https://api.example.com/

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
**Grago executes shell commands by design.** This is intentional and necessary — local LLMs can't use tools natively, so Grago bridges the gap by running commands on your behalf.

**Risk:** If your OpenClaw agent is compromised or prompt-injected, Grago can execute arbitrary commands on your machine.

**Safe for:**
- ✅ Personal Mac Mini / VPS running your own OpenClaw agent
Confidence
98% confidence
Finding
execute arbitrary commands

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal