xAI Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward xAI/Grok search helper that sends user search queries to xAI as expected for its purpose.

Install this only if you are comfortable providing an xAI API key and sending your search terms to xAI/Grok. Avoid putting secrets, regulated data, or confidential internal information in queries, and consider using a virtual environment plus a pinned xai-sdk version.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill documentation describes real-time search via xAI but does not warn users that their prompts and search queries are transmitted to an external third-party API. In practice, users may supply sensitive or proprietary data to the skill without understanding that it leaves the local environment, creating privacy, compliance, and data-handling risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends the user-provided query to xAI and remote web/X search services without any disclosure, confirmation, or privacy warning. This can expose sensitive prompts, internal identifiers, or confidential search terms to third-party services, which is especially relevant for agent skills where users may not realize the query leaves the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal