Wip Grok

xAI Grok API. Search the web, search X, generate images, generate video.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 383 · 0 current installs · 0 all-time installs

byParker Todd Brooks@parkertoddbrooks

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description match the code: web/X search plus image/video generation via xAI Grok. However the registry metadata declared no required env vars or primary credential while the SKILL.md and core.mjs clearly expect an XAI_API_KEY (and a fallback read from 1Password). That mismatch between declared requirements and actual code is an inconsistency.

Instruction Scope

SKILL.md and the code instruct the agent to use an API key (env or 1Password) and to accept local file paths for edit_image and image-to-video flows. core.mjs will read local files (readFileSync) and base64-encode them, then POST those bytes to the external x.ai API. That behavior is expected for an image-editing tool but is a potential data-exfiltration vector if an agent (or user input) supplies paths to sensitive files. core.mjs also runs execSync('op read ...') to access 1Password; using child_process execution increases the risk surface compared with purely network-only code.

ℹ

Install Mechanism

There is no install spec (instruction-only), which is lower-risk. All code is included in the repo and no downloads/install-time extracts occur. One operational oddity: mcp-server.mjs imports '@modelcontextprotocol/sdk/...' but package.json declares no dependencies, so runtime will fail unless the environment already has these packages — this is an operational inconsistency rather than a direct security exploit.

Credentials

The skill legitimately needs an xAI API key, which is proportional to its stated purpose. But registry metadata claimed no required env vars while SKILL.md/openclaw.install expect XAI_API_KEY and core.mjs will attempt to read 1Password (op CLI). The use of 1Password via execSync is reasonable as convenience, but it requires the op CLI to be available and grants the skill the ability to run a shell command to read secrets. That combination should be noted before granting runtime access.

✓

Persistence & Privilege

The skill does not request always:true, does not modify other skills or system-wide agent settings, and contains no install-time persistence. It runs as a normal user-space module and only uses its own code and (optional) local files when invoked.

What to consider before installing

Before installing, be aware of these points: - The skill requires an xAI API key (XAI_API_KEY) even though the registry metadata claims none; SKILL.md and core.mjs will fail without it. - core.mjs will try to read the key from 1Password using the 'op' CLI (execSync). That means the skill runs a shell command; ensure you trust the code and have the op CLI configured if you want that behavior. - The edit_image and image-to-video flows accept local file paths and will read and base64-encode files (readFileSync) and send them to the external x.ai service. Do not pass paths to sensitive local files (password stores, private keys, configuration files) — supplying such paths would leak their contents to the external API. - package.json does not list the MCP SDK dependencies that mcp-server.mjs imports; this is an operational inconsistency (you may need to install those packages or run the MCP server in an environment that already provides them). - If you plan to allow autonomous agent invocation, be cautious: an autonomous agent could be tricked into passing local file paths or otherwise invoking edit_image/video with data that results in sensitive data being uploaded. Recommendations: - Only install/run this skill from a trusted source and review the code (core.mjs, mcp-server.mjs) yourself. - If you don't want 1Password CLI access, set XAI_API_KEY explicitly in the environment and/or remove/modify the op read fallback. - Restrict agent inputs so it cannot supply arbitrary local file paths to edit_image or generate_video image seeds. - Consider running the MCP server in a sandboxed environment or container to limit filesystem access if you need the MCP interface.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2

Download zip

latestvk9741nsk155wcgx1f536jkpn1n81kw89

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

wip-grok

xAI Grok API. Sensor (search) + Actuator (generate). All xAI functions in one tool.

When to Use This Skill

Sensor: Search

Use search_web for:

Current information from websites, news, documentation
Real-time data (stock prices, weather, recent events)
Finding information from specific domains
Verifying current facts

Use search_x for:

What people are saying on X/Twitter about a topic
Trending discussions and social sentiment
Real-time reactions to events
Posts from specific X handles/users

Actuator: Generate

Use generate_image for:

Creating images from text descriptions
Generating multiple variations of a concept
Creating images with specific aspect ratios

Use edit_image for:

Modifying existing images with natural language
Style transfer, color changes, adding/removing elements
Combining up to 3 source images

Use generate_video for:

Creating short video clips (1-15 seconds)
Animating still images (image-to-video)
Text-to-video generation

Do NOT Use For

Fetching a specific X post by URL (use wip-x fetch_post instead)
Posting tweets (use wip-x post_tweet)
Reading bookmarks (use wip-x get_bookmarks)
Historical facts that won't change
Mathematical calculations

API Reference

search_web(options)

const result = await search_web({ query: "latest news about AI" });
// result: { content, citations, usage, raw_response }

Options: query (required), model, allowed_domains (max 5), excluded_domains (max 5), enable_image_understanding

search_x(options)

const result = await search_x({ query: "AI thoughts", allowed_x_handles: ["elonmusk"] });

Options: query (required), model, allowed_x_handles (max 10), excluded_x_handles (max 10), from_date, to_date, enable_image_understanding, enable_video_understanding

generate_image(options)

const result = await generate_image({ prompt: "a red cube", n: 1, aspect_ratio: "1:1" });
// result: { images: [{ url, revised_prompt }] }

Options: prompt (required), model, n (1-10), response_format ("url"|"b64_json"), aspect_ratio

Cost: $0.02 per image. URLs are temporary ... download promptly.

edit_image(options)

const result = await edit_image({ prompt: "make it blue", image: "https://..." });

Options: prompt (required), image (required, URL or file path or base64), model, n, response_format

Cost: $0.022 per image (input + output).

generate_video(options)

const { request_id } = await generate_video({ prompt: "sunset timelapse", duration: 10 });
const result = await wait_for_video({ request_id });
// result: { status: "completed", url: "https://..." }

Options: prompt (required), model, duration (1-15 sec), resolution ("480p"|"720p"), aspect_ratio, image (seed image URL)

Cost: $0.05/sec at 480p, $0.07/sec at 720p. URLs are temporary.

poll_video(options) / wait_for_video(options)

Poll or wait for async video generation. wait_for_video is a convenience wrapper that polls until complete or timeout.

Troubleshooting

"XAI_API_KEY not found"

Set via environment or 1Password: op://Agent Secrets/X API/api key

Slow search responses

Grok reasoning models can take 30-60+ seconds. This is normal.

Temporary URLs

Image and video URLs expire. Download or process them immediately after receiving.

API Documentation

Web Search: https://docs.x.ai/developers/tools/web-search
X Search: https://docs.x.ai/developers/tools/x-search
Image Generation: https://docs.x.ai/docs/guides/image-generations
Video Generation: https://docs.x.ai/docs/guides/video-generations

Files

7 total

Select a file

Select a file to preview.

Comments

Loading comments…