Groq API Inference
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: groq-api Version: 1.0.0 The OpenClaw skill bundle for Groq API inference is benign. It clearly defines its purpose, limits network communication to declared Groq API endpoints, and restricts local file access to a dedicated `~/groq-api/` directory. The skill explicitly states that `GROQ_API_KEY` is not stored in files and guides the agent to handle credentials responsibly. Instructions in `SKILL.md` and `setup.md` are focused on legitimate API usage, error handling, and user interaction, with no evidence of prompt injection attempts to subvert the agent or perform malicious actions like data exfiltration, unauthorized execution, or persistence mechanisms. All `curl` commands are well-formed and target the declared Groq API.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can consume the user's Groq API access or quota, and the key should remain protected.
The skill uses a Groq API key for authenticated provider access. This is expected for a Groq API integration and the artifacts say not to store the key in files.
Check `GROQ_API_KEY` first and use `Authorization: Bearer $GROQ_API_KEY` for every request.
Keep GROQ_API_KEY in the environment only, use a key with appropriate limits, and do not paste the key into project files or logs.
Any prompt text or audio submitted through the skill is shared with Groq for processing.
The skill clearly discloses external provider communication and limits it to Groq inference/transcription endpoints, but user prompts and audio may contain sensitive information.
Data that leaves your machine: Prompt content sent to Groq inference endpoints; Audio content sent to Groq transcription endpoint when requested
Only send content you are comfortable sharing with Groq, and avoid including secrets or sensitive personal data unless necessary.
Saved preferences may make the skill activate or behave differently in later Groq-related tasks.
The skill uses persistent memory for activation preferences and workflow defaults. The scope is disclosed and excludes keys and payload content, but it can influence future behavior.
Save only activation trigger preferences to the user's global memory (no keys, no payload content). Mirror a short summary in `~/groq-api/memory.md`.
Review or delete ~/groq-api/memory.md and any global activation preferences if you no longer want this workflow to persist.