Back to skill

Security audit

grok-search

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed xAI/Grok integration for web and X search, with chat, vision, and model-listing helpers that match the documented API-key-based workflow.

Install only if you are comfortable sending your search queries, prompts, and any explicitly provided images to xAI under your XAI_API_KEY. Avoid using it for secrets or private images unless you intend to transmit that content to xAI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a search-focused tool, but the documentation explicitly exposes broader capabilities including arbitrary chat, vision chat, and model listing. This increases the skill’s effective authority and may cause an agent or user to invoke a third-party LLM for tasks beyond the intended search scope, including sending prompts or images to xAI without an obvious scope warning.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script implements general-purpose chat with arbitrary prompts, while the skill metadata describes a search-focused capability using server-side search tools. This scope expansion matters because users and policy controls may trust the skill as a bounded search utility, but the code can send arbitrary text and images to the external model API, increasing data exposure and enabling unintended use beyond the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The image handling code reads local files and inlines them as base64 data URLs for transmission to the xAI API. In a skill presented as search-only, this introduces undeclared local file access and external exfiltration of image contents, which can expose sensitive screenshots, documents saved as images, or other private local data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads an API key not only from its own environment but also from a broader ~/.clawdbot/clawdbot.json configuration file, including multiple unrelated skill namespaces. That expands credential access beyond the immediate task of listing xAI models and can cause unintended cross-skill secret reuse or exposure if this script is invoked in a context that should not have access to the global config.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad phrases like 'search x', 'search twitter', and 'find tweets' that can match common user intents and cause this skill to activate when a narrower or safer built-in tool might be more appropriate. Over-broad activation increases the chance of unintended third-party data disclosure and expands the opportunity for prompt-routing mistakes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation does not prominently warn that user queries, prompts, and possibly image inputs are sent to xAI’s server-side API and tools. Without explicit disclosure, users or orchestrating agents may unknowingly transmit sensitive information to an external service, creating privacy, compliance, and data-handling risks.

External Transmission

Medium
Category
Data Exfiltration
Content
store: false,
};

const res = await fetch("https://api.x.ai/v1/responses", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
95% confidence
Finding
fetch("https://api.x.ai/v1/responses", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
store: false,
};

const res = await fetch("https://api.x.ai/v1/responses", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
95% confidence
Finding
https://api.x.ai/

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
88% confidence
Finding
The trigger 'search x' can shadow or compete with a built-in 'search' command, causing the agent to invoke this external xAI-backed skill instead of the expected default search behavior. That redirection can send user input to a third party and alter execution semantics in ways the user did not intend.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
88% confidence
Finding
The trigger 'search twitter' similarly overlaps with a generic built-in 'search' action and may divert ordinary search requests into this skill. Because this skill uses an external API, such diversion can unexpectedly expose user queries and create confusing or unsafe tool-selection behavior.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
82% confidence
Finding
The trigger 'find tweets' can conflict with a generic built-in 'find' command, making invocation ambiguous and potentially causing the agent to route a simple local or built-in lookup request to an external search skill. While the impact is somewhat lower than direct 'search' shadowing, it still risks unintended activation and unnecessary disclosure of user queries.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/selftest.mjs:18

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/chat.mjs:34

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/chat.mjs:110

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/grok_search.mjs:130

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/models.mjs:51