grok-search
PassAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts show a coherent xAI/Grok search wrapper; it uses an xAI API key and sends user-selected requests to xAI, but no hidden exfiltration or destructive behavior is evident.
Before installing, make sure you are comfortable giving this skill access to an xAI API key and sending queries, prompts, and any selected images to xAI. Use a dedicated/revocable key where possible, avoid sending sensitive content unless acceptable, verify search citations, and run the self-test only if you intend to make real API calls.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It is harder to independently verify where the bundled scripts came from.
The registry metadata does not identify a source repository or package provenance. No remote installer is shown, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown
Install only if you trust the registry publisher or have reviewed the bundled scripts you will run.
Your search queries and prompts can be sent to xAI, and returned web/X content should be treated as untrusted until verified.
The skill intentionally gives the agent a wrapper around xAI's external search tools. This is purpose-aligned, but queries leave the local environment and may consume provider quota.
Search the web or X/Twitter using xAI Grok server-side tools (web_search, x_search) via the xAI Responses API.
Use the skill for intended research tasks, avoid sensitive queries unless you accept xAI processing them, and verify important citations.
The agent can use the configured xAI key, which may consume quota or incur charges on that account.
The script deliberately obtains an xAI API key from the environment or Clawdbot config, including a related skill-entry fallback, to authenticate provider requests.
process.env.XAI_API_KEY || j?.env?.XAI_API_KEY || j?.env?.vars?.XAI_API_KEY || j?.skills?.entries?.["grok-search"]?.apiKey || j?.skills?.entries?.["search-x"]?.apiKey
Use a dedicated, revocable xAI API key if possible and monitor provider usage.
If you run the self-test, it will execute local Node scripts and use the configured xAI API key for several test calls.
The self-test script spawns Node child processes to run bundled scripts and make real API calls. It is not shown as an automatic install step.
const p = spawn(process.execPath, args, { cwd: __dirname, env: process.env, stdio: ["ignore", "pipe", "pipe"] });Run selftest.mjs only intentionally and only when you are comfortable spending xAI API quota.