Grok Swarm Security Report — Suspicious | ClawSafe

50 /100

Grok Swarm

Multi-agent intelligence powered by Grok 4.20 Multi-Agent Beta for code analysis, refactoring, generation, and complex reasoning

Grok Swarm skill contains undocumented credential access from OpenClaw auth profiles and shell execution via --execute flag, with unpinned dependencies creating supply chain risk.

Skill NameGrok Swarm

Duration57.8s

Enginepi

⚠

Use with caution

Add explicit documentation of credential access sources and shell execution capability in SKILL.md. Pin openai dependency to a specific version. Consider restricting --execute to documented safe commands.

Findings 3 items

Severity	Finding	Location
Medium	Undeclared credential access from OpenClaw auth profiles Doc Mismatch grok_bridge.py reads API keys from multiple OpenClaw auth profile locations (~/.openclaw/agents/*/auth-profiles.json) but this credential harvesting behavior is not declared in SKILL.md `auth_paths = [Path.home() / ".openclaw" / "agents" / "coder" / "agent" / "auth-profiles.json", ...]` → Document all credential sources in SKILL.md or limit to explicitly user-configured paths only	`bridge/grok_bridge.py:65`
Medium	Undeclared arbitrary shell command execution RCE cli.py provides --execute/-e flag that runs arbitrary shell commands via subprocess with shell=True. This is powerful RCE capability not mentioned in SKILL.md `subprocess.run(args.execute, shell=True, capture_output=True, text=True, timeout=300)` → Either document this capability prominently in SKILL.md or restrict to a whitelist of safe commands	`bridge/cli.py:130`
Low	Unpinned dependency with loose version constraint Supply Chain install.sh installs openai>=1.0.0 without upper bound or exact version pinning, allowing any future malicious or buggy version `pip install -q openai>=1.0.0` → Pin to specific version: openai==1.60.0 or similar	`install.sh:47`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	SKILL.md states 'File Writing' feature
Network	`READ`	`READ`	✓ Aligned	openrouter.ai API calls documented in SKILL.md
Shell	`NONE`	`WRITE`	✗ Violation	cli.py:130 subprocess.run with shell=True for --execute flag
Environment	`NONE`	`READ`	✗ Violation	grok_bridge.py:49 reads OPENROUTER_API_KEY and XAI_API_KEY; reads ~/.openclaw/*/…
Skill Invoke	`NONE`	`NONE`	—	No skill invocation detected

1 findings

🔗

Medium External URL 外部 URL

https://openrouter.ai/api/v1

bridge/grok_bridge.py:29

File Tree

7 files · 39.0 KB · 1255 lines

Python 3f · 851L JavaScript 1f · 204L Markdown 1f · 89L Shell 1f · 84L JSON 1f · 27L

├─ ▾ 📁 bridge

│ ├─ 🐍 apply.py Python 190L · 5.6 KB

│ ├─ 🐍 cli.py Python 269L · 9.3 KB

│ ├─ 🐍 grok_bridge.py Python 392L · 13.6 KB

│ └─ 📜 index.js JavaScript 204L · 5.4 KB

├─ 🔧 install.sh Shell 84L · 2.4 KB

├─ 📋 openclaw.plugin.json JSON 27L · 837 B

└─ 📝 SKILL.md Markdown 89L · 1.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`openai`	`>=1.0.0`	pip	No	Version not pinned - major supply chain risk

Security Positives

✓ Path traversal protection exists in file writing operations via _safe_dest() and relative_to() checks

✓ File writes default to dry-run mode unless --apply flag is explicitly provided

✓ Validates contained paths before writing to prevent directory escape

✓ API calls are to legitimate openrouter.ai endpoint, not hidden C2 infrastructure

✓ Morph LLM integration has path validation before file operations

✓ No base64 encoding, eval(), or obfuscation detected

✓ No direct IP network requests to suspicious destinations

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives