Back to skill
Skillv0.2.1
ClawScan security
Grok Image Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 20, 2026, 6:22 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a CLI wrapper for xAI image generation and only request the expected API key credential and standard Node tooling.
- Guidance
- This skill appears to do what it says: it's a CLI wrapper around xAI image APIs and requires Node and the grok-img binary plus an xAI API key stored in your OS credential store (or via XAI_API_KEY). Before installing: 1) verify the npm package and GitHub repo (check the provenance/commit referenced) and prefer auditing source if you have concerns; 2) confirm you trust the grok-img binary's origin (npm scope and publisher); 3) be aware that when you use the edit command with a remote image URL the CLI will fetch that URL over HTTPS; 4) note the minor metadata mismatch (registry claims no primary credential but SKILL.md uses a cross-keychain credential) — this is likely an editorial issue but you may want the publisher to correct it. If any of these checks fail, avoid installing or run installation in an isolated environment.
Review Dimensions
- Purpose & Capability
- okThe name/description (grok-image-cli) align with requested binaries (grok-img, node) and the declared use of an xAI API key; these are reasonable for a CLI that wraps the xAI Grok Image API.
- Instruction Scope
- okSKILL.md instructs the agent to use the grok-img CLI, manage credentials via the OS keychain, call api.x.ai over HTTPS, and optionally fetch remote images when editing — all within the stated image-generation/editing scope. There are no instructions to read unrelated system files or exfiltrate data to other endpoints.
- Install Mechanism
- noteNo automated install spec is bundled with the skill (instruction-only), but the README provides standard install commands (npm install -g or git clone then npm build). These use known channels (npm, GitHub); user guidance to audit before installing is included. This is normal but the registry lacks an automated install spec.
- Credentials
- noteThe CLI legitimately needs an xAI API key stored in the OS credential store and optionally accepts XAI_API_KEY as a fallback. There is a small metadata inconsistency: the registry summary showed 'no primary credential' while SKILL.md declares a cross-keychain credential and optional XAI_API_KEY — functionally this is proportional but the metadata mismatch should be corrected.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide configs. It stores only its own API key in the OS credential store (expected behavior for a CLI).