ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xAI Studio

v0.2.2

xAI Studio — generate and edit images and videos via the xAI API. Image: text-to-image, batch generation, multi-image editing, concurrent style transfers, mu...

0· 132·0 current·0 all-time
by@h0llyw00dzz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (xAI Studio) matches the actual behavior: generating and editing images/videos through the xai_sdk. Required binary (python3) and primary env var (XAI_API_KEY) are proportionate to the described purpose.
Instruction Scope
SKILL.md and scripts/run.py confine actions to using the xai_sdk, encoding local files, optionally downloading user-supplied image/video URLs, and saving outputs under media/xai-output. This is expected, but note that user-supplied URLs will be fetched (urllib.urlretrieve) and local files may be read and base64-encoded and sent to the xAI service.
Install Mechanism
No high-risk installers are present. SKILL.md recommends creating a venv and pip-installing xai-sdk; metadata includes apt/pip steps. Small inconsistency: the registry summary said 'No install spec — instruction-only', yet SKILL.md contains install entries and a code file is included. The pip package xai-sdk is the expected dependency; verify its provenance before installing.
Credentials
Only XAI_API_KEY is required as the primary credential, which is appropriate for calling the xAI API. The code does not read other environment variables or system config paths.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. It writes outputs to a local media directory only (no system-wide changes).
Assessment
This skill appears coherent for its stated purpose, but consider these before installing: - The xai-sdk will send your provided images/videos and prompts to xAI; do not upload sensitive/private media unless you accept that it will be sent to the service. - The skill requires your XAI_API_KEY; treat it like any API secret. Only provide a key with the appropriate scope and rotate it if you stop using the skill. - SKILL.md suggests installing the xai-sdk via pip. Verify the xai-sdk package identity (official repository or PyPI publisher) before installing in a shared environment. - The CLI will fetch any image/video URLs you pass (urllib.urlretrieve). Only pass trusted URLs to avoid unexpected network activity or malicious payloads. - Minor metadata inconsistency: the registry listing noted 'instruction-only' but the package includes a scripts/run.py and install instructions. That’s not dangerous, but be aware the skill includes executable Python code that will run locally.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bhmd403rpxj691d37fw5x518328ws

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📽️ Clawdis
Binspython3
EnvXAI_API_KEY
Primary envXAI_API_KEY

Comments