X Grok to Obsidian
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned, but it captures private Grok history from a logged-in X session and stores raw captured data in browser localStorage checkpoints, which users should review carefully.
Install only if you are comfortable running a browser-console script while logged into X and exporting potentially all Grok conversations. Before a full run, review the JavaScript, test with a small limit if available, decide where the downloaded JSON and Markdown files should be stored, and clear the localStorage checkpoint if the capture is interrupted.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The script runs with access to private Grok conversation responses available to the logged-in X account.
The skill relies on the user's active X login/session to access Grok conversations. This is expected for the export purpose, but it is still account-session authority.
Run the browser script in Chrome DevTools Console on `https://x.com/i/grok` while logged in.
Run it only in the intended browser profile, review the script before use, and reload or close the tab after the export completes.
A user may capture more conversations and generate more account activity than expected, potentially including all historical Grok chats and rate-limit-triggering requests.
The script performs broad automated discovery and navigation through every discovered Grok conversation in the logged-in session. This is aligned with backup/export, but it is high-scope account automation and the visible code's indexing default is broader than SKILL.md's documented default of 3 passes.
const INDEX_PASSES = 8; ... const SCROLL_MAX = 340; ... for (let i = (pass === startPass ? startIndex : 0); i < targets.length; i++) { ... history.pushState({}, '', `${u.pathname}${u.search}`);Add a clear, working maximum-conversation limit, align documented defaults with code, and ask users to run a small test export before a full-account export.
Private Grok conversation content may remain in browser storage after a crash, tab close, or interrupted run, and could be readable by scripts running in the same x.com origin.
The checkpoint stores raw captured response data, including conversation payloads, in x.com localStorage. The README says checkpoints are cleared on successful completion, but interrupted runs can leave private chat data persisted in the browser.
captured: [...captured.values()].map(x => ({ restId: x.restId, requestUrl: x.requestUrl, source: x.source, data: x.data })), ... localStorage.setItem(CHECKPOINT_KEY, JSON.stringify(cp));Prominently disclose this persistence, provide a one-line cleanup command for the checkpoint key, minimize checkpoint contents where possible, and consider requiring user confirmation before saving raw captured data.
Users have less external provenance information to validate before trusting the script with their logged-in X page.
The registry metadata does not identify an external source or homepage. The included source is visible and static scan was clean, but provenance is still relevant because the skill asks users to run browser-console code in an authenticated session.
Source: unknown; Homepage: none
Publish a source repository or homepage and keep the reviewed scripts identical to the distributed skill.