Back to skill

Security audit

xAI Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward xAI/Grok search helper that sends user search queries to xAI as advertised, with no evidence of hidden or destructive behavior.

Install this only if you are comfortable providing an xAI API key and sending search terms to xAI/Grok. Avoid entering secrets, credentials, regulated data, or confidential internal information in queries, and consider using a virtual environment with a pinned xai-sdk version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly relies on the `XAI_API_KEY` environment variable, which means it has access to environment-based secrets, yet no permissions are declared. This can mislead users and hosting systems about the skill's actual capabilities, weakening least-privilege controls and making secret exposure or unintended secret use harder to audit.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The skill encourages users to submit arbitrary queries to xAI's external API but does not warn that those queries may contain sensitive or user-provided data and will be transmitted off-platform. In a search skill, this context increases the likelihood that users will paste private text, making the omission a real privacy and data-handling risk rather than a purely informational issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.