Is graqle safe to install?

graqle was flagged as CRITICAL RISK (risk score 2373) with 225 findings detected across 1187 files. Review the findings before installing.

What security issues were found in graqle?

Sigil detected 225 findings in graqle, including patterns related to code_patterns, provenance, network_exfil, credentials, obfuscation, install_hooks. See the full scan report for details.

Scans/pypi/graqle

graqle

pypi

Summary

graqle v0.31.1 was classified as CRITICAL RISK with a risk score of 2373. Sigil detected 225 findings across 1187 files, covering phases including code patterns, provenance, network exfiltration, credential access, obfuscation, install hooks. Review the findings below before installing this package.

Package description: Give your AI tools architecture-aware reasoning. Build a knowledge graph from any codebase — dependency analysis, impact analysis, governed AI answers with confidence scores. Works with Claude Code...

CRITICAL RISK(2373)

v0.31.1

20 March 2026, 12:30 UTC

by Sigil Bot

Risk Score

2373

Findings

225

Files Scanned

1187

Provenance

Registry

https://pypi.org/project/graqle/0.31.1/

Findings by Phase

•

Phase Ordering

Phases are ordered by criticality, with the most dangerous at the top. Click any phase header to expand or collapse its findings. Critical phases are expanded by default.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

graqle-0.31.1/graqle/cli/commands/plugins.py:65

        "install_type": "mcp-server",
        "install_cmd": "curl -fsSL https://install.cmem.ai/openclaw.sh | bash",
        "install_dir": None,

Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

Badge

Markdown

[![Sigil Scan](https://sigilsec.ai/badge/pypi/graqle)](https://sigilsec.ai/scans/FF28A00D-19BD-4525-BB22-1F49607884E2)

HTML

<a href="https://sigilsec.ai/scans/FF28A00D-19BD-4525-BB22-1F49607884E2"><img src="https://sigilsec.ai/badge/pypi/graqle" alt="Sigil Scan"></a>

Run This Scan Yourself

Scan your own packages

Run Sigil locally to audit any package before it touches your codebase.

curl -sSL https://sigilsec.ai/install.sh | sh

Read the docs →Free. Apache 2.0.

Early Access

Get cloud scanning, threat intel, and CI/CD integration.

Join 150+ developers on the waitlist.

Get threat intelligence and product updates

Security research, new threat signatures, and product updates. No spam.

Other pypi scans

localclaw

v0.4.0.0

CRITICAL RISK372

mcp-suno

v2026.3.20.2

CRITICAL RISK157

claude-mux

v1.0.0

CRITICAL RISK482

jupyter-ai-tools

v0.4.1

MEDIUM RISK19

discovery-engine-api

v0.2.78

MEDIUM RISK20

Believe this result is incorrect? Request a review or see our Terms of Service and Methodology.

Scanned bySigil Bot

← Back to Scan Database

graqle

Summary

Provenance

Findings by Phase

Install Hooks

Code Patterns

Obfuscation

Network / Exfiltration

Credentials

Provenance

Badge

Scan your own packages

Get threat intelligence and product updates

Other pypi scans