ClawHub

xAI

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward xAI/Grok API wrapper, with expected API-key and data-sharing considerations and minor provenance metadata gaps.

This skill looks coherent for chatting with Grok and using xAI search. Before installing, verify the source because registry provenance is limited, use a dedicated XAI_API_KEY if possible, and avoid passing sensitive prompts or local images/files unless you intend to send them to xAI.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Prompts, image inputs, and X search queries may leave the local environment and be processed by xAI.

Why it was flagged

This confirms that user content is sent to the external xAI service. That is expected for this skill, but users should avoid sending sensitive prompts, files, or images unless they are comfortable sharing them with xAI.

Skill content
Wraps the xAI API (`https://api.x.ai`). Chat uses the standard completions endpoint. X search uses the Responses API with the `x_search` tool for real tweets with citations.
Recommendation

Use the skill only for content you are comfortable sending to xAI, and review xAI's data handling terms for sensitive work.

#
ASI03: Identity and Privilege Abuse
Low
What this means

The API key may allow xAI account usage and billing under the user's account.

Why it was flagged

The skill uses an xAI API key from the environment or a local config file and sends it as a bearer token to xAI. This is purpose-aligned and bounded to the xAI key, but it is still delegated account authority.

Skill content
if (process.env.XAI_API_KEY) { return process.env.XAI_API_KEY; } ... const key = config?.skills?.entries?.xai?.apiKey; ... 'Authorization': `Bearer ${apiKey}`
Recommendation

Use a dedicated xAI API key if possible, keep it out of shared logs, and monitor xAI usage or billing.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have less registry-level assurance that the packaged skill matches the upstream project they expect.

Why it was flagged

The registry source is not provided. The artifacts do include readable source files and no install-time dependency execution, so this is a provenance note rather than evidence of unsafe behavior.

Skill content
Source: unknown ... Version: 1.3.1
Recommendation

Verify the listed repository and package contents before installing, especially if using the skill with a real API key.