Skill Trust Decision
Grok Swarm
Grok Swarm skill contains undocumented credential access from OpenClaw auth profiles and shell execution via --execute flag, with unpinned dependencies creating supply chain risk.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
What drove the risk score up
Undeclared credential access +20
grok_bridge.py reads API keys from OpenClaw auth-profiles.json without declaration in SKILL.md
Undeclared shell execution +20
cli.py --execute flag allows arbitrary shell commands, not documented in SKILL.md
Unpinned dependency +10
openai>=1.0.0 without upper bound allows supply chain compromise
Most important evidence
Medium Doc Mismatch
Undeclared credential access from OpenClaw auth profiles
grok_bridge.py reads API keys from multiple OpenClaw auth profile locations (~/.openclaw/agents/*/auth-profiles.json) but this credential harvesting behavior is not declared in SKILL.md
bridge/grok_bridge.py:65 Document all credential sources in SKILL.md or limit to explicitly user-configured paths only
Medium RCE
Undeclared arbitrary shell command execution
cli.py provides --execute/-e flag that runs arbitrary shell commands via subprocess with shell=True. This is powerful RCE capability not mentioned in SKILL.md
bridge/cli.py:130 Either document this capability prominently in SKILL.md or restrict to a whitelist of safe commands
Low Supply Chain
Unpinned dependency with loose version constraint
install.sh installs openai>=1.0.0 without upper bound or exact version pinning, allowing any future malicious or buggy version
install.sh:47 Pin to specific version: openai==1.60.0 or similar
Declared capability vs actual capability
Filesystem Pass
Declared READ
→ Inferred WRITE
SKILL.md states 'File Writing' feature Network Pass
Declared READ
→ Inferred READ
openrouter.ai API calls documented in SKILL.md Shell Block
Declared NONE
→ Inferred WRITE
cli.py:130 subprocess.run with shell=True for --execute flag Environment Block
Declared NONE
→ Inferred READ
grok_bridge.py:49 reads OPENROUTER_API_KEY and XAI_API_KEY; reads ~/.openclaw/*/auth-profiles.json Skill Invoke Pass
Declared NONE
→ Inferred NONE
No skill invocation detected Suspicious artifacts and egress
Medium External URL
https://openrouter.ai/api/v1 bridge/grok_bridge.py:29
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| openai | >=1.0.0 | pip | No | Version not pinned - major supply chain risk |
File composition
7 files · 1255 lines
Python 3 files · 851 linesJavaScript 1 files · 204 linesMarkdown 1 files · 89 linesShell 1 files · 84 linesJSON 1 files · 27 lines
Files of concern · 3
bridge/grok_bridge.py Undeclared credential access from OpenClaw auth profiles · https://openrouter.ai/api/v1
bridge/cli.py Undeclared arbitrary shell command execution
install.sh Unpinned dependency with loose version constraint
Other files · apply.py · index.js · SKILL.md · openclaw.plugin.json
Security positives
Path traversal protection exists in file writing operations via _safe_dest() and relative_to() checks
File writes default to dry-run mode unless --apply flag is explicitly provided
Validates contained paths before writing to prevent directory escape
API calls are to legitimate openrouter.ai endpoint, not hidden C2 infrastructure
Morph LLM integration has path validation before file operations
No base64 encoding, eval(), or obfuscation detected
No direct IP network requests to suspicious destinations