ClawHub

xAI Plus

v2.0.2

Search X/Twitter and the web, chat with Grok models (text + vision), and analyze X content using xAI's API. Use when: searching X posts/threads, web research via Grok, chatting with Grok, analyzing voice patterns, researching trends, or checking post quality. Triggers: grok, xai, search x, search twitter, x search, ask grok, grok chat, analyze voice, x trends.

5· 2k·4 current·4 all-time
by@mischasigtermans
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description claim xAI/Grok integration for X/web search, chat (text+vision), and analysis. The included scripts (grok_search.mjs, chat.mjs, analyze.mjs, models.mjs) talk directly to x.ai endpoints and implement the advertised features. Required binary (node) and required env var (XAI_API_KEY) are exactly what the code needs. No unrelated cloud or system credentials are requested.
Instruction Scope
Runtime instructions and scripts are narrowly scoped to: (1) read an XAI API key (env var or ~/.clawdbot/clawdbot.json fallbacks), (2) optionally read local image files (for vision features) and convert to data URLs, and (3) call x.ai APIs (responses, models). The only scope caveat: the code looks up multiple fallback keys inside ~/.clawdbot/clawdbot.json (including other skills' entries) to find an API key. This is plausible as a convenience fallback but means the skill will attempt to read that single config file for keys; it does not, however, send that whole file anywhere or call other external endpoints.
Install Mechanism
No install spec / remote download is present. All code is bundled in the skill package and there are no external URLs or archives fetched at install time. That minimizes install-time risk. The scripts do assume a Node runtime on PATH.
Credentials
The skill requires a single primary credential (XAI_API_KEY) which is appropriate for calling xAI APIs. The code does read ~/.clawdbot/clawdbot.json for fallback values and checks several possible keys (xai-plus, xai, grok-search, search-x). This is reasonable for convenience but could expose other API keys stored in that config if they are named similarly; the script uses whichever key it finds and only transmits that key to api.x.ai. No other unrelated environment variables or credentials are requested.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system-wide configuration. It does not create persistent background services or install new binaries. Autonomous invocation is enabled (default) but not combined with other red flags.
Assessment
This skill appears to do what it says: it needs Node and your xAI API key and will call api.x.ai endpoints. Before installing, consider: 1) Provide only a dedicated xAI API key (do not reuse unrelated secrets). 2) The scripts will try to read ~/.clawdbot/clawdbot.json to locate a key (including other skills' apiKey fields) — if that file contains unrelated secrets, consider removing them or using the XAI_API_KEY env var instead. 3) Any images you pass will be base64-encoded and sent to x.ai — don't upload sensitive images unless you trust x.ai. 4) No external downloads or unknown endpoints are present in the package. If you want extra caution, inspect the bundled scripts locally (they are plain JS) and run them in an isolated environment or with a low-privilege account.

Like a lobster shell, security has layers — review code before you run it.

latestvk974ah1cpkwatja5sq8ff1az8s80h6n1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔎 Clawdis
Binsnode
EnvXAI_API_KEY
Primary envXAI_API_KEY

Comments