xAI Search
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward xAI/Grok search helper, with the main caveats that it sends your queries to xAI, uses your XAI_API_KEY, and asks for an unpinned SDK install.
Install only if you are comfortable using an xAI API key and sending search queries to xAI/Grok. Consider installing the SDK in a virtual environment, pinning the dependency version, and avoiding secrets or sensitive private data in queries.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A single query may result in multiple external search operations through Grok.
The skill enables provider-side search tools and discloses that one request may trigger multiple search calls. This is central to the search purpose and not evidence of hidden or unsafe tool use.
This leverages Grok's `web_search` and `x_search` tools. ... The model will make multiple search calls if needed (agentic)
Use the skill for intended searches and provide clear query scope or filters when needed.
Using the skill consumes authority associated with the xAI API key you provide.
The helper script reads an xAI API key from the environment to authenticate to the provider. This is expected for the integration, but it is sensitive account access and the registry metadata lists no primary credential.
api_key = os.environ.get("XAI_API_KEY") ... client = Client(api_key=api_key)Set XAI_API_KEY deliberately, use a restricted or rotatable key if available, and remove or revoke it when no longer needed.
The installed SDK version may vary depending on what pip resolves at install time.
The setup uses an unpinned pip dependency. This is a normal, user-directed install for the stated purpose, but package version and provenance are not locked by the artifact.
Python 3 + xai-sdk: `pip install xai-sdk`
Install from a trusted package source, consider using a virtual environment, and pin or review the xai-sdk version if reproducibility matters.
Search terms and any information typed into the query leave the local environment and are processed by xAI/Grok.
The documented workflow sends the user's query content to xAI's external API. This is disclosed and purpose-aligned, but users should treat submitted queries as provider-shared data.
curl -s https://api.x.ai/v1/chat/completions ... "messages": [{"role": "user", "content": "YOUR QUERY HERE"}]Avoid putting secrets or unnecessary private information into searches, and review xAI's data handling terms if that matters for your use case.