X Search
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says: search X/Twitter through xAI using an API key, with no evidence of hidden persistence, destructive actions, or unrelated data access.
This looks reasonable to install if you are comfortable giving the skill access to an xAI API key and sending your search queries to xAI. Protect the API key, watch for API usage costs or quota consumption, and treat returned X posts and summaries as untrusted information that should be verified through citations.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide an xAI API key, and searches may consume that account's API quota or be associated with that account.
The skill reads an xAI API key from the environment and uses it as a bearer token for requests to the xAI API. This is expected for the stated purpose, but it is still delegated account/API access.
api_key = os.environ.get("XAI_API_KEY", "").strip(); "Authorization": f"Bearer {api_key}"Use a dedicated xAI API key with the minimum needed permissions where possible, keep it secret, and revoke or rotate it if it is exposed.
Returned posts or summaries could include misleading claims or prompt-like text that should not override the user's intent.
The skill retrieves and summarizes external user-generated X content, which is purpose-aligned but should be treated as untrusted context rather than instructions.
Uses the xAI Responses API with `x_search` tool (Grok performs the search and summarizes results); Results include citations with links to original X posts
Verify important results through the cited links and do not allow retrieved social media content to change tool-use decisions or agent instructions.