ClawHub

Grok Image Cli

PassAudited by ClawScan on May 1, 2026.

Overview

This looks like a coherent Grok image-generation CLI skill, but users should realize it relies on an external npm/GitHub CLI and uses an xAI API key plus image data.

This skill appears purpose-aligned. Before installing, confirm you trust the grok-image-cli npm package or GitHub repository, understand that it will use your xAI API key, and avoid sending sensitive images or prompts unless you are comfortable with xAI processing them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing the skill means trusting a separate CLI package and its dependencies, including a globally available command.

Why it was flagged

The skill directs installation and build/link steps for external npm/GitHub code that is not included in the reviewed artifact.

Skill content
npm install -g grok-image-cli ... git clone https://github.com/cyberash-dev/grok-image-cli.git && cd grok-image-cli && npm install && npm run build && npm link
Recommendation

Install only from the expected npm/GitHub source, review package contents if possible, and avoid running the source-build path unless you trust the repository.

Low
#ASI03: Identity and Privilege Abuse
What this means

The CLI can use the user's xAI account/API quota and billing authority for image generation and editing.

Why it was flagged

The skill requires access to an xAI API key, stored in the OS credential store or read from an environment variable fallback.

Skill content
credentials... "label":"xAI API key","storage":"cross-keychain" ... "env_fallback":"XAI_API_KEY"
Recommendation

Use a dedicated xAI API key with limited exposure where possible, monitor usage, and remove it with the documented logout command when no longer needed.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Prompts, selected images, and API requests may leave the local machine and be processed by xAI or fetched from a provided remote URL.

Why it was flagged

The skill sends generation/editing requests to an external provider and supports using local images or remote image URLs as inputs.

Skill content
A CLI for generating and editing images using the xAI Grok API ... grok-img edit "Make it a watercolor painting" -i ./photo.jpg
Recommendation

Do not submit private or sensitive images/prompts unless that is acceptable under xAI's terms and your data-handling requirements.