Wip Xai Grok Private
xAI Grok API. Search the web, search X, generate images, generate video.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 17 · 0 current installs · 0 all-time installs
byParker Todd Brooks@parkertoddbrooks
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements web/X search and image/video generation consistent with the description and uses xAI endpoints (https://api.x.ai). However the skill relies on an XAI_API_KEY (documented in SKILL.md and used by core.mjs) and on the ability to call the 1Password CLI as a fallback; those runtime requirements are not reflected in the registry metadata (which lists no required env vars or binaries). The dependency on @modelcontextprotocol/sdk for the MCP server is expected for an MCP interface.
Instruction Scope
SKILL.md and README instruct use of XAI_API_KEY and 1Password (op://...). The runtime code executes an external command via execSync('op read ...') to fetch a secret from 1Password and reads local files when edit_image is used (readFileSync). That means at runtime the skill will attempt to invoke a system binary and read local files; those actions go beyond simple HTTP calls and are not declared in the registry metadata.
Install Mechanism
There is no install spec in the registry, but package.json and package-lock.json are present and declare dependencies (notably @modelcontextprotocol/sdk and its transitive deps). Installation will pull numerous npm packages (moderate risk surface). There are no downloads from untrusted URLs or extract steps in the provided manifest.
Credentials
The code requires an XAI_API_KEY (used in Authorization headers) and will try to read it from 1Password via the 'op' CLI if the env var is absent. The registry metadata did not list XAI_API_KEY or any required binaries. Apart from the single API key, no unrelated credentials are requested, but the use of the 1Password CLI implies access to local secret storage—this should be explicitly declared and reviewed.
Persistence & Privilege
The skill is not force-installed (always: false), does not request permanent platform-wide privileges, and does not modify other skills or global agent configuration. Running the MCP server is optional and only exposes the tool interfaces if the operator runs it.
What to consider before installing
This package implements the claimed Grok features, but there are a few red flags to consider before installing:
- The registry metadata does NOT declare that the skill needs XAI_API_KEY or the 1Password (op) CLI, yet SKILL.md and core.mjs expect XAI_API_KEY and call 'op read'. Confirm you are comfortable granting the skill access to that API key and that the 'op' binary (if present) is safe to use.
- core.mjs uses child_process.execSync('op read ...') and will run that CLI on your system if the env var is missing. If you do not want third-party code to invoke local CLIs, do not install/run this skill or inspect and remove the fallback before use.
- The edit_image function reads local files (readFileSync) when given a file path and can base64-encode them for upload. Do not pass sensitive filesystem paths to this skill; audit the code if you plan to allow user-controlled file paths.
- package.json and package-lock.json show many npm dependencies; install in a sandbox or verify dependency integrity (e.g., audit lockfile) before running in production.
Recommendations:
1) Ask the publisher to update registry metadata to declare required env vars (XAI_API_KEY) and required binaries ('op' if relying on 1Password CLI). 2) If you plan to use it, run it in an isolated environment (container) and inspect or remove the execSync fallback if you don't want CLI access. 3) Verify the API key scope and rotate it if you test in a shared environment. 4) If you need higher assurance, request a signed release or a reproducible build and review the package-lock dependencies.core.mjs:28
Shell command execution detected (child_process).
core.mjs:22
Environment variable access combined with network send.
core.mjs:6
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.3
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
wip-xai-grok
xAI Grok API. Sensor (search) + Actuator (generate). All xAI functions in one tool.
When to Use This Skill
Sensor: Search
Use search_web for:
- Current information from websites, news, documentation
- Real-time data (stock prices, weather, recent events)
- Finding information from specific domains
- Verifying current facts
Use search_x for:
- What people are saying on X/Twitter about a topic
- Trending discussions and social sentiment
- Real-time reactions to events
- Posts from specific X handles/users
Actuator: Generate
Use generate_image for:
- Creating images from text descriptions
- Generating multiple variations of a concept
- Creating images with specific aspect ratios
Use edit_image for:
- Modifying existing images with natural language
- Style transfer, color changes, adding/removing elements
- Combining up to 3 source images
Use generate_video for:
- Creating short video clips (1-15 seconds)
- Animating still images (image-to-video)
- Text-to-video generation
Do NOT Use For
- Fetching a specific X post by URL (use wip-xai-x fetch_post instead)
- Posting tweets (use wip-xai-x post_tweet)
- Reading bookmarks (use wip-xai-x get_bookmarks)
- Historical facts that won't change
- Mathematical calculations
API Reference
search_web(options)
const result = await search_web({ query: "latest news about AI" });
// result: { content, citations, usage, raw_response }
Options: query (required), model, allowed_domains (max 5), excluded_domains (max 5), enable_image_understanding
search_x(options)
const result = await search_x({ query: "AI thoughts", allowed_x_handles: ["elonmusk"] });
Options: query (required), model, allowed_x_handles (max 10), excluded_x_handles (max 10), from_date, to_date, enable_image_understanding, enable_video_understanding
generate_image(options)
const result = await generate_image({ prompt: "a red cube", n: 1, aspect_ratio: "1:1" });
// result: { images: [{ url, revised_prompt }] }
Options: prompt (required), model, n (1-10), response_format ("url"|"b64_json"), aspect_ratio
Cost: $0.02 per image. URLs are temporary ... download promptly.
edit_image(options)
const result = await edit_image({ prompt: "make it blue", image: "https://..." });
Options: prompt (required), image (required, URL or file path or base64), model, n, response_format
Cost: $0.022 per image (input + output).
generate_video(options)
const { request_id } = await generate_video({ prompt: "sunset timelapse", duration: 10 });
const result = await wait_for_video({ request_id });
// result: { status: "completed", url: "https://..." }
Options: prompt (required), model, duration (1-15 sec), resolution ("480p"|"720p"), aspect_ratio, image (seed image URL)
Cost: $0.05/sec at 480p, $0.07/sec at 720p. URLs are temporary.
poll_video(options) / wait_for_video(options)
Poll or wait for async video generation. wait_for_video is a convenience wrapper that polls until complete or timeout.
Troubleshooting
"XAI_API_KEY not found"
Set via environment or 1Password: op://Agent Secrets/X API/api key
Slow search responses
Grok reasoning models can take 30-60+ seconds. This is normal.
Temporary URLs
Image and video URLs expire. Download or process them immediately after receiving.
API Documentation
- Web Search: https://docs.x.ai/developers/tools/web-search
- X Search: https://docs.x.ai/developers/tools/x-search
- Image Generation: https://docs.x.ai/docs/guides/image-generations
- Video Generation: https://docs.x.ai/docs/guides/video-generations
Files
10 totalSelect a file
Select a file to preview.
Comments
Loading comments…