graincrawl

SUSPICIOUS. The skill’s capabilities generally match its archive/search purpose, but install trust is weakened by a provenance mismatch between the stated publisher (`openclaw`) and the Go module source (`vincentkoc`), plus an unpinned `@latest` external CLI. Data access appears proportionate, and there is no direct evidence of credential theft or malicious exfiltration, but the binary’s trust chain is not internally consistent enough to rate fully benign.