Search X
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: search-x Version: 1.2.1 The skill bundle provides a legitimate tool for searching X/Twitter via the xAI API. The core logic in scripts/search.js is well-structured, using standard Node.js modules to interact with the official api.x.ai endpoint. It retrieves the required API key from environment variables or a local configuration file (~/.clawdbot/clawdbot.json) in a transparent manner. No malicious behaviors such as data exfiltration, unauthorized command execution, or harmful prompt injection instructions were identified.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not run unless Node is available, and users should verify they are running the intended bundled script.
The runtime instructions require Node, while the registry lists no required binaries and no install spec. This is a metadata completeness/provenance note rather than hidden execution because the script is included and no remote installer is shown.
node {baseDir}/scripts/search.js "AI video editing"Declare Node as a required runtime, keep registry/SKILL/package versions consistent, and install only from a trusted package or repository.
Searches can consume the user's xAI API quota and operate under the user's xAI account.
The script uses an xAI API key from the environment or local config, including a generic xai fallback key. This is expected for xAI search, but it is account credential use.
if (process.env.XAI_API_KEY) { return process.env.XAI_API_KEY; } ... config?.skills?.entries?.['search-x']?.apiKey || config?.skills?.entries?.xai?.apiKeyUse a dedicated, revocable xAI API key where possible and monitor usage in the xAI console.
Search terms, handles, date filters, and related request metadata are shared with xAI.
The script sends the user's query and authorization token to xAI's Responses API. This external provider call is disclosed and central to the skill's purpose, but it is still a data boundary users should notice.
const API_BASE = 'api.x.ai'; ... path: '/v1/responses' ... input: `${systemPrompt}\n\nSearch X/Twitter for: ${options.query}` ... 'Authorization': `Bearer ${apiKey}`Avoid searching for confidential or sensitive internal topics unless sharing them with xAI is acceptable under your policies.