openclaw-grok-search Security Report — Low Risk | ClawSafe

20 /100

openclaw-grok-search

Cross-platform real-time web research and search via an OpenAI-compatible Grok endpoint

Legitimate web research tool with minor documentation gap - subprocess usage for interactive config setup is not explicitly declared but is described in Quick Start documentation.

Skill Nameopenclaw-grok-search

Duration29.1s

Enginepi

✓

Safe to install

Consider adding 'subprocess' to allowed-tools mapping in SKILL.md if shell execution capability is intended. Otherwise no security concerns.

Findings 2 items

Severity	Finding	Location
Low	Subprocess execution not declared in allowed-tools Doc Mismatch The skill uses subprocess.run to invoke configure.py for interactive setup, but shell:WRITE is not declared in the allowed-tools mapping. While documented in Quick Start section, it creates ambiguity about intended permissions. `run([sys.executable, configure_path], check=True)` → Add 'Bash→shell:WRITE' to allowed-tools mapping if subprocess is intentional, or refactor to avoid shell access.	`scripts/grok_search.py:85`
Low	Config file with API key present in package Sensitive Access config.json contains a live API key. While this is user-configured credentials rather than harvested data, embedding real credentials in the package is a distribution risk. `"api_key": "sk-cp-Ck3CeOG..."` → Use config.example.json as template and ensure config.json is in .gitignore before distributing.	`config.json:2`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	urllib.request.Request POST to Grok endpoint
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/grok_search.py:85 - subprocess.run([sys.executable, configure_path])
Filesystem	`NONE`	`READ`	✓ Aligned	config.json reading via _load_json_file
Filesystem	`NONE`	`WRITE`	✓ Aligned	scripts/configure.py:65 - write_text to config.json

5 findings

🔗

Medium External URL 外部 URL

https://your-grok-endpoint.example

README.md:84

🔗

Medium External URL 外部 URL

https://ai.huan666.de/register?aff=eB8Z

README.md:114

🔗

Medium External URL 外部 URL

https://linux.do/t/topic/1627339

README.md:120

🔗

Medium External URL 外部 URL

https://ai.huan666.de

config.json:2

📧

Info Email 邮箱地址

[email protected]

README.md:149

File Tree

6 files · 24.3 KB · 789 lines

Python 2f · 551L Markdown 2f · 220L JSON 2f · 18L

├─ ▾ 📁 scripts

│ ├─ 🐍 configure.py Python 80L · 2.4 KB

│ └─ 🐍 grok_search.py Python 471L · 15.2 KB

├─ 📋 config.example.json JSON 10L · 246 B

├─ 🔑 config.json ⚠ JSON 8L · 281 B

├─ 📝 README.md Markdown 153L · 4.3 KB

└─ 📝 SKILL.md Markdown 67L · 1.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`None (standard library only)`	`N/A`	stdlib	No	No external dependencies

Security Positives

✓ No credential harvesting - API key is user-provided configuration

✓ No data exfiltration - all network traffic is to the configured Grok endpoint only

✓ No obfuscation - all code is readable plaintext Python

✓ No reverse shell or C2 infrastructure

✓ No hidden instructions in comments or documentation

✓ No supply chain risks - only standard library dependencies used

✓ HTTP behavior matches documentation (OpenAI-compatible API calls)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives