ClawHub

grok-search

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed xAI/Grok search and chat wrapper that sends user-chosen queries, prompts, and optional images to xAI, with no evidence of hidden persistence, unrelated exfiltration, or destructive behavior.

Install only if you are comfortable giving the skill access to an xAI API key and sending search queries, chat prompts, and any image file you explicitly name to xAI. Use a dedicated revocable key where possible, avoid sensitive prompts or images unless acceptable, monitor provider usage, and run the self-test only when you intend to make real API calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill is presented as a search-only integration, but the documentation also exposes general chat and model-listing commands. This expands the operational scope beyond what a user or calling agent would reasonably expect, increasing the chance of unintended data disclosure, unreviewed third-party prompt transmission, or misuse of capabilities that were not justified by the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Vision chat allows local image content to be sent to the xAI API even though the skill is framed as a web/X search tool. That mismatch can cause users or agents to invoke the skill without understanding that sensitive local files may be exfiltrated to a remote service.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The implementation does not match the declared skill purpose: it is a general Grok chat client rather than a constrained web/X search tool. This matters because users and higher-level agents may trust the manifest to bound behavior, but this script can send arbitrary prompts to a third-party model endpoint, expanding data exposure and capability beyond what was advertised.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script accepts local image paths and uploads image contents to the xAI API, even though the skill is described as search-only. That mismatch increases the chance that users or orchestrators unintentionally exfiltrate sensitive local files under the assumption they are invoking a limited search skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads an API key not only from the environment but also from a broad user home-directory config file under ~/.clawdbot, including multiple nested locations unrelated to this specific script. That expands credential access beyond the minimum needed for listing models and creates a larger trust boundary: any invocation of this script can silently consume credentials from unrelated local configuration, which is risky in a skill context where file access should be tightly scoped.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger set includes broad terms such as 'grok' and 'xai', which may activate the skill for generic discussion rather than an intentional request to query an external service. Overbroad activation can lead to accidental network use, unintended third-party data sharing, and invocation of a skill whose capabilities exceed the user's immediate intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation does not clearly warn that prompts, queries, and potentially local image contents are sent to the xAI Responses API. This creates a real risk of users or agents unintentionally transmitting sensitive text or files to an external provider without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal