Skillv1.0.0

ClawScan security

showname · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 2:33 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, install steps, and required credential (XAI_API_KEY) align with its stated purpose of searching X (Twitter) via the xAI Grok Responses API; nothing requests unrelated secrets or installs arbitrary remote code.
Guidance: This skill appears coherent and limited to searching X via the xAI API. If you install it, only provide an xAI API key (XAI_API_KEY). Review the key's permissions in your xAI console and consider using a scoped API key for read/search if available. Note: metadata owner IDs differ between the registry and _meta.json (minor mismatch in packaging), but this is not evidence of malicious behavior.

Purpose & Capability: okName/description (x-search) match the code and README: the scripts call the xAI Responses API to perform x_search tool queries. Requested binary (python3) and primaryEnv (XAI_API_KEY) are appropriate for this purpose.
Instruction Scope: okSKILL.md instructs only to set XAI_API_KEY and run the included Python script with search-related flags. The script only reads XAI_API_KEY from the environment, validates CLI flags, and posts to https://api.x.ai/v1/responses. It does not read other system files, other env vars, or transmit data to unrelated endpoints.
Install Mechanism: okInstall spec uses a Homebrew formula for python (well-known package manager). No downloads from arbitrary URLs or archives; code is bundled with the skill and executed by the local python interpreter.
Credentials: okOnly XAI_API_KEY is required (declared as primaryEnv). No other secrets, keys, or config paths are requested. The env usage in the code matches the declared requirement.
Persistence & Privilege: okThe skill is not force-included (always: false) and does not modify other skills or system-wide agent settings. It runs on demand and does not request persistent elevated privileges.