xAI Image Generator
v1.0.0Generate images from text prompts using xAI's Grok API with options for format, batch size, and automatic media attachment in OpenClaw.
⭐ 0· 1.1k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Files and docs consistently describe an image-generation CLI that calls xAI's images API (https://api.x.ai). Requiring an XAI_API_KEY is proportionate. However the skill metadata at the registry top lists 'Required env vars: none' while skill.json and SKILL.md require XAI_API_KEY — that's an incoherence. Also the documentation repeatedly references a main executable 'xai-gen', but that file is not present in the provided file manifest (only test.sh and docs are included). Missing the main executable contradicts the stated capability.
Instruction Scope
SKILL.md instructs installation steps (pip install requests, chmod +x xai-gen) and suggests persisting XAI_API_KEY into ~/.bashrc via echo (which would write credentials into a shell profile). Those instructions are within scope for a CLI tool, but they also assume/require writing secrets to disk and running a missing executable. The docs and test.sh instruct the agent/user to run ./xai-gen and to output MEDIA: paths — reasonable for OpenClaw integration — but because the executable is absent, the runtime instructions cannot be followed as-is.
Install Mechanism
There is no formal install spec (instruction-only), which is low-risk normally. The SKILL.md asks to pip install requests and chmod an executable; that's typical. The concern is practical: the package claims a main executable (xai-gen) but that file is not included in the provided file list, so the installation instructions are incomplete and will fail or require fetching code from an external source (not provided).
Credentials
Requesting XAI_API_KEY is proportionate for a tool that calls xAI's API (skill.json marks it required). But the registry metadata at the top contradicts that (it lists no required env vars), indicating a mismatch between declared requirements and actual needs. SKILL.md also encourages writing the API key into ~/.bashrc, which is convenient but exposes persistent credentials on disk if users follow it; advise safer storage.
Persistence & Privilege
The skill does not request always:true, does not claim elevated privileges, and does not declare system-wide config changes beyond instructing the user to optionally add an environment variable to their shell profile. Autonomous invocation is allowed (platform default) but there's no evidence this skill requests persistent system privileges or modifies other skills.
What to consider before installing
Do not install this skill yet. Key issues to resolve before trusting it: 1) The bundle references a main executable 'xai-gen' but that file is not included — ask the author for the missing script or a verified repository/source. 2) Registry metadata says no env vars are required but skill.json and SKILL.md require XAI_API_KEY — confirm which is correct. 3) Inspect the xai-gen script source before running (ensure it only calls x.ai and does not exfiltrate data elsewhere). 4) Avoid blindly echoing your API key into ~/.bashrc; prefer a secure credential store or add the variable manually after reviewing. 5) Verify the API endpoint (https://api.x.ai) and the legitimacy of the publisher; if the code must be fetched from a remote repo, prefer an official GitHub release or reputable source. If the author cannot provide the missing executable and source code for review, treat the skill as incomplete and do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk971t0ap8kaa9hw9syvajf3yts80s0jp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.