ClawHub
Back to skill
v1.0.0

X Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:44 AM.

Analysis

This skill appears to do what it says: search X/Twitter through xAI using an API key, with no evidence of hidden persistence, destructive actions, or unrelated data access.

GuidanceThis looks reasonable to install if you are comfortable giving the skill access to an xAI API key and sending your search queries to xAI. Protect the API key, watch for API usage costs or quota consumption, and treat returned X posts and summaries as untrusted information that should be verified through citations.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/search.py
api_key = os.environ.get("XAI_API_KEY", "").strip(); "Authorization": f"Bearer {api_key}"

The skill reads an xAI API key from the environment and uses it as a bearer token for requests to the xAI API. This is expected for the stated purpose, but it is still delegated account/API access.

User impactAnyone using the skill must provide an xAI API key, and searches may consume that account's API quota or be associated with that account.
RecommendationUse a dedicated xAI API key with the minimum needed permissions where possible, keep it secret, and revoke or rotate it if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityInfoConfidenceHighStatusNote
SKILL.md
Uses the xAI Responses API with `x_search` tool (Grok performs the search and summarizes results); Results include citations with links to original X posts

The skill retrieves and summarizes external user-generated X content, which is purpose-aligned but should be treated as untrusted context rather than instructions.

User impactReturned posts or summaries could include misleading claims or prompt-like text that should not override the user's intent.
RecommendationVerify important results through the cited links and do not allow retrieved social media content to change tool-use decisions or agent instructions.