Skillv1.1.0

ClawScan security

Grok Imagine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 1, 2026, 11:24 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, declared requirements, and runtime instructions are consistent with an xAI Grok Imagine image/video generator and do not request unrelated credentials or surprising system access.
Guidance: This skill appears to do what it says: call xAI's image/video endpoints, download media, and save files. Before installing, ensure you: (1) only provide an XAI_API_KEY you trust for image generation and monitor usage/costs (video polling can incur charges while it runs); (2) are comfortable with the script reading ~/keys.txt if that file exists (remove or secure it if not); (3) understand the skill will download remote media and write files to the provided output paths; and (4) note the SKILL.md mentions reading ~/.openclaw/openclaw.json but the bundled script does not — if you rely on that behavior, verify it or set the env/--api-key explicitly. Overall the package is coherent with its stated purpose.

Purpose & Capability: okName/description, required XAI_API_KEY, endpoints (api.x.ai), and the provided script all align with an image/video generation skill. Required capabilities are proportional to the stated purpose.
Instruction Scope: noteRuntime instructions tell the agent to run the included script and only reference XAI_API_KEY, a local keys.txt fallback, and output paths. The script does network calls to the xAI API, downloads returned media to disk, and polls for video status as documented — all within the scope. Minor mismatch: SKILL.md also claims the key can be read from ~/.openclaw/openclaw.json, but the included script only implements env var, explicit --api-key, and ~/keys.txt lookup.
Install Mechanism: okNo install spec; the skill is instruction-only with a bundled script. Nothing is downloaded or executed at install time.
Credentials: noteOnly XAI_API_KEY is required (declared as primary). The script optionally reads ~/keys.txt for a fallback key (documented). There are no unrelated secrets requested. Users should note the script will read keys.txt if present — ensure that file's contents and permissions are acceptable.
Persistence & Privilege: okalways is false and the skill does not request persistent/privileged presence or modify other skills or system-wide settings. Autonomous invocation is allowed but is the platform default.