xAI Plus
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a coherent xAI/Grok wrapper, but it uses your xAI API key and sends prompts, searches, and selected images to xAI.
This looks safe to use if you trust the publisher and are comfortable sending the requested text, searches, and selected images to xAI. Use a dedicated xAI API key, avoid confidential inputs, and review your local Clawdbot config so the skill uses the credential you expect.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less external context for verifying the publisher or upstream project before trusting the bundled scripts with an API key.
The skill has limited upstream provenance information, although the artifacts do not show remote install scripts, package downloads, or hidden dependencies.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the registry owner/package before use and prefer a dedicated, revocable xAI API key.
The skill can consume your xAI account quota when invoked and may reuse an existing xAI/search-related API key from local config.
The script reads an xAI credential from environment variables or local Clawdbot config, including fallback aliases for related skill entries, then uses it for xAI API authentication.
process.env.XAI_API_KEY || j?.env?.XAI_API_KEY || j?.skills?.entries?.["xai-plus"]?.apiKey || ... ["grok-search"]?.apiKey || ... ["search-x"]?.apiKey
Use a dedicated xAI API key for this skill, store it only in the intended config location, and revoke or rotate it if you stop using the skill.
Sensitive text or selected image contents may be transmitted to xAI when the skill is used.
User prompts and any image files passed with --image are encoded into the request body and sent to xAI; other scripts similarly send search and analysis prompts to api.x.ai.
content.push({ type: "input_image", image_url: toDataUrl(img) }); ... fetch("https://api.x.ai/v1/responses", ... body: JSON.stringify(body))Do not send confidential prompts or images unless that is acceptable for your xAI account and data-handling expectations.