ClawHub
Back to skill
v1.0.0

grok_image_generate

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:09 AM.

Analysis

This instruction-only skill matches its stated image-generation workflow, but it relies on a browser profile, desktop automation, and Feishu file sending that users should keep intentional.

GuidanceThis skill appears coherent for generating a Grok image, saving it, and sending it to Feishu. Before installing or using it, be comfortable with the agent opening Grok in the specified browser profile, running desktop-control commands, saving files locally, and sending the selected image through Feishu. Replace the example file paths with your own and verify the recipient/channel before sending.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
uvx desktop-agent mouse move <x> <y>
uvx desktop-agent mouse right-click
uvx desktop-agent keyboard press return

The skill asks the agent to control the desktop with coordinates, right-clicks, and keyboard presses to save the generated image. This is disclosed and purpose-aligned, but GUI automation can act on the wrong window if not carefully supervised.

User impactThe agent may move the mouse or press keys on the active desktop while saving an image.
RecommendationKeep the Grok image window focused, verify coordinates and dialogs before executing desktop-control steps, and avoid using this flow while sensitive windows are active.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
uvx desktop-agent screen size

The workflow invokes an external helper by package name using `uvx`, but the provided artifacts do not pin a version or include an install specification for that helper.

User impactRunning the helper depends on whatever `uvx desktop-agent` resolves to in the user's environment.
RecommendationUse a trusted, pinned version of the desktop-control helper where possible, and confirm the helper source before allowing it to control the desktop.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
playwright({
  action: "open",
  profile: "openclaw",
  url: "https://grok.com/imagine"
})

The skill opens Grok Imagine using a named browser profile, which may rely on an existing Grok session or account. This is expected for using Grok but is not declared as a credential requirement in metadata.

User impactImage generation may use the user's logged-in Grok account and could consume account quota or be tied to that account.
RecommendationUse the intended browser profile, confirm the active Grok account, and be aware of any Grok usage limits before generating images.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
message({
  action: "send",
  filePath: "/Users/xiaohuozi/Downloads/图片文件名.jpg",
  message: "图片描述"
})

The workflow sends a local image file through a Feishu messaging tool. This is part of the stated purpose, but it transfers a local file to an external messaging workspace.

User impactThe generated image may be uploaded and sent to Feishu.
RecommendationConfirm the exact image file, recipient or channel, and message text before using the Feishu send step.