ClawHub

xAI Search

v1.0.4

Search X/Twitter and the web in real-time using xAI's Grok API with agentic search tools.

1· 2.9k·9 current·9 all-time
by@aydencook03
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and SKILL.md: the script and instructions call xAI/Grok web_search and x_search. However, the registry metadata lists no required environment variables or primary credential while SKILL.md and the script both require XAI_API_KEY. That metadata omission is an inconsistency.
Instruction Scope
Runtime instructions and the helper script only instruct use of the xai-sdk and the XAI API key, create chat requests, stream responses, and print citations. They do not read unrelated files, other env vars, or exfiltrate data to unexpected endpoints.
Install Mechanism
No formal install spec is provided (instruction-only with a helper script). SKILL.md asks users to pip install xai-sdk. Using pip is common, but installing third-party packages has supply-chain risk—verify the legitimacy of the xai-sdk package on PyPI or prefer installing in an isolated environment.
!
Credentials
The only needed secret is XAI_API_KEY, which is proportionate to contacting xAI. The concern is that the skill registry data did not declare this required API key (registry shows no required env vars/primary credential), which is an unexpected mismatch and reduces transparency about what secrets the skill needs.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and is user-invocable only. It runs as a normal, non-persistent helper script.
What to consider before installing
This skill's code is short and does what the description says (calls xAI/Grok via xai-sdk), but the registry metadata failing to declare the required XAI_API_KEY is a transparency issue. Before installing or providing an API key: 1) Verify the skill's provenance (homepage/author) — the source is unknown. 2) Inspect the xai-sdk package on PyPI (or its repo) to ensure it's the official client. 3) Only provide an XAI API key with minimal permissions and consider creating a scoped/test key. 4) Install and run the script in an isolated environment (virtualenv, container) if you want to reduce risk. 5) Ask the publisher/registry to correct the metadata so required credentials are declared. If you can't verify the package origin, treat this as higher risk and avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dpjf2am0hr28vqeewhh5mgh803weq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis

Comments