Is gmickel/gno safe?

https://github.com/openclaw/skills/tree/main/skills/gmickel/gno

89
SAFE

The gmickel/gno skill is a clean documentation reference for a legitimate local knowledge search CLI tool. The SKILL.md contains no prompt injection patterns, no hidden instructions, and appropriately restricts Bash access to gno:* commands only. The primary concerns are operational rather than malicious: the gno serve command defaults to binding 0.0.0.0 which could silently expose indexed local documents to the network, and gno mcp install/skill install can modify AI client configuration files. Installation was clean with no suspicious network activity or filesystem writes outside the skill directory, and all canary honeypots were intact.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (9)

MEDIUM gno serve binds to 0.0.0.0 by default -15

The CLI reference documents the default host as 0.0.0.0, meaning any agent-initiated 'gno serve' command exposes the full indexed document corpus (PDFs, markdown, code, contracts) to all local network hosts on port 3000. A user expecting local-only access would not be warned by the skill.

LOW gno serve network exposure of indexed local content -10

Indexed local directories (~/docs, ~/notes, contracts, etc.) become accessible over the network when gno serve is running. If an agent starts the server in response to a vague 'set up gno' request, sensitive documents could be network-accessible.

LOW gno mcp install and gno skill install modify AI client configuration -8

These commands write to claude_desktop_config.json, ~/.claude/, or project-scope config files. An agent running these could register persistent MCP servers or install additional skills without clear user confirmation of the config change scope.

LOW gno models pull downloads unverified AI model binaries -8

The skill documents gno models pull which fetches model files from external sources. The integrity verification of these models is outside the skill's scope and relies entirely on the gno binary's implementation.

LOW gno index --git-pull executes git pull on tracked repositories -10

If indexed directories contain git repositories, git-pull during indexing pulls arbitrary external code changes. This is an indirect code execution vector if the user's indexed repos contain executable content.

LOW gno skill install can register skills into the AI assistant's own config -7

A sufficiently vague user instruction ('set up gno for my AI assistant') could lead the agent to run gno skill install, writing new skill files into ~/.claude/ or project scope, effectively allowing the gno binary to inject instructions into the agent's future sessions.

LOW Sparse checkout from shared monorepo introduces supply chain dependency -5

The skill is distributed from a shared monorepo (openclaw/skills). A compromise of that repository would affect all skills in the monorepo. The install mechanism uses --depth 1 which mitigates history-based attacks but not current-commit injection.

INFO External documentation URL in mcp-reference.md -5

mcp-reference.md includes a reference to gno.sh/docs/MCP. The agent has Read access (allowed-tools includes Read) but gno.sh is not in the skill directory. The Read tool on local files cannot fetch remote URLs, so this is informational only.

INFO Canary files accessed only by Oathe infrastructure 0

PATH audit events for .env, .ssh/id_rsa, .aws/credentials etc. at timestamps 1771911374 (start) and 1771911400 (end) are from the Oathe baseline/final integrity check process, not from the skill installation or any gno process.