Grok Imagine Video Generation
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward xAI Grok media-generation integration, with expected API-key use, local Python helper execution, and local saving of generated files.
Before installing, confirm you trust the package source, use your own xAI API key, expect prompts and referenced media to be sent to xAI, monitor possible API costs, and keep downloaded outputs in a workspace directory.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated media requests may consume the user's xAI API quota or incur costs under their account.
The client uses the supplied xAI API key as a bearer token for API requests. This is necessary for the advertised integration, but it means the skill can act against the user's xAI account and quota.
"Authorization": f"Bearer {api_key}"Use a dedicated xAI API key if possible, monitor usage, and avoid sharing the key in chat or logs.
The skill may run its included Python helper to contact xAI and manage downloads.
The skill's workflows direct use of local Python code from the bundled helper script. This is central to the skill's purpose, but it is still local code execution that users should recognize before installing.
python3 - << 'EOF' ... from grok_video_api import GrokImagineVideoClient
Review the bundled helper code before use and install only from a trusted package/source.
If misused, downloads could be saved outside the intended workspace or overwrite an unintended file.
The download helpers create directories and write media to a caller-supplied output path. This is expected for delivering generated files, but the code does not itself restrict paths to a workspace.
os.makedirs(os.path.dirname(output_path), exist_ok=True) with open(output_path, "wb") as f:
Save generated media only to workspace-scoped paths and avoid protected or system locations.
Users have less registry-level provenance information for verifying the origin of the bundled helper code.
The registry metadata does not provide a source or homepage, and installation is manual/instruction-only. No remote install script is evidenced, but provenance is limited.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the skill package source and compare it with any trusted upstream repository before providing an API key.