Is castanley/grok safe?

https://github.com/openclaw/skills/tree/main/skills/castanley/grok

70
CAUTION

The castanley/grok skill presents moderate risk primarily due to an unaudited executable file (search.mjs) whose .mjs extension caused it to evade the *.js evidence-collection pattern — its full content and intent remain unknown. Additional concerns include a non-standard domain (grokipedia.com) in examples, an undeclared locked dependency (academic-research-hub), a behavioral instruction that conditions users to emit specific trigger keywords ('poll'), and a placeholder homepage URL in a purportedly mature v1.0.3 release. Canary file integrity was maintained and clone behavior was clean, indicating no confirmed exfiltration during the audit window, but the unaudited search.mjs represents a significant blind spot that prevents a clean safety determination.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

HIGH search.mjs executable file not audited — .mjs evades *.js collection pattern -38

A bundled ES module file search.mjs was installed into the skill directory but was not captured by the source code collection script, which uses a '.js' glob that does not match '.mjs' files. The full content of this file is unknown. It is architecturally inconsistent with the skill's declared 'interface: REST' and 'dependencies: []' metadata. Without auditing this file, any malicious behavior (credential harvesting, covert network calls, prompt injection payload delivery) would go undetected.

MEDIUM Unaudited search.mjs could exfiltrate data to third-party endpoints -25

Because search.mjs content was not collected, it is unknown whether the file makes additional network calls beyond the documented api.x.ai endpoint. The skill has network access (required to call xAI APIs) and the unaudited executable could silently forward query content, environment variables, or file contents to attacker-controlled infrastructure.

MEDIUM Undeclared dependency 'academic-research-hub' in .clawhub/lock.json -20

The skill's lock file records a pinned installation of '[email protected]' that is not declared in the skill's SKILL.md metadata dependencies field. This hidden dependency could be loaded automatically by the ClawHub runtime, expanding the attack surface and potentially enabling skill-chaining where one skill's injected instructions alter another skill's behavior.

MEDIUM 'poll' keyword instruction trains users to emit agent-controlled trigger words -15

The SKILL.md instructs the agent to tell users to type the literal word 'poll' when searches are slow. This conditions users to type specific keywords on the agent's command. A more sophisticated version of this pattern could be used to have users unknowingly confirm actions, emit tokens that trigger other skill behaviors, or override agent guardrails by having the user appear to provide explicit consent.

LOW grokipedia.com included as example allowed_domain — non-standard potentially controlled domain -12

The Web Search examples in SKILL.md include 'grokipedia.com' alongside legitimate domains un.org and gov.uk. This non-existent or attacker-registered domain is presented as a natural example that agents may follow, normalizing the restriction of searches to a potentially attacker-controlled endpoint that could serve manipulated results.

LOW Placeholder homepage URL and author handle in examples indicate unvetted provenance -10

The skill declares version 1.0.3 yet retains a placeholder homepage ('https://github.com/yourusername/xai-grok-search'). Published skills at this version level should have a real repository URL. This suggests either the skill was not properly reviewed before publishing or the author deliberately obscured their identity. The author's own X handle 'cstanley' appears in allowed_x_handles examples alongside high-profile accounts.

INFO Credential canary files accessed — consistent with system/framework activity 0

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. The early accesses (1771907335) are during GDM/PAM login initialization — normal OS boot behavior. The batch at 1771907357.881 (all 6 files at identical millisecond) is consistent with the Oathe canary integrity scanner. Canary integrity check passed: no files were modified or exfiltrated.