Security Audit

granola

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

granola received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Arbitrary File Read via CSV Import, Server-Side Request Forgery (SSRF) via URL Fetching.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Excessive Permissions

3 findings

Security Findings3

Severity	Finding	Layer	Location
HIGH	Arbitrary File Read via CSV Import The `scripts/csv_import.py` script allows reading any file on the filesystem via the `--file` argument. This argument is directly passed to `open()`, enabling an attacker to specify paths to sensitive files (e.g., `/etc/passwd`, `.ssh/id_rsa`, application configuration files) and exfiltrate their contents. The `Path(args.file).exists()` check only confirms existence, not safety or scope. Restrict the `--file` argument to a specific, sandboxed directory (e.g., a temporary upload directory) or implement a secure file upload/selection mechanism that does not expose the full filesystem. Alternatively, validate the file path to ensure it resides within an allowed, non-sensitive directory.	LLM	scripts/csv_import.py:50
HIGH	Server-Side Request Forgery (SSRF) via URL Fetching The `scripts/fetch_shared.py` script fetches content from any URL provided via the `--url` argument using `urllib.request.urlopen`. This vulnerability allows an attacker to perform Server-Side Request Forgery (SSRF), potentially accessing internal network resources, scanning ports, or making requests to sensitive endpoints that are not publicly exposed. The current URL validation (`'granola' in args.url or 'share' in args.url`) is weak and can be easily bypassed (e.g., by appending `?granola` to a malicious URL). Implement strict URL validation to only allow specific, trusted domains (e.g., `share.granola.ai`, `granola.ai`) and explicitly disallow IP addresses, internal network ranges, or any other untrusted domains. Use a robust URL parsing library to ensure proper validation.	LLM	scripts/fetch_shared.py:20
MEDIUM	Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/mvanhorn/granola-notes/scripts/fetch_shared.py:12

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/6268022830b691f5.svg)](https://skillshield.io/report/6268022830b691f5)