ClawHub

xAI Grok Search

v1.0.3

Search the web and X (Twitter) using xAI's Grok API with real-time access, citations, and image understanding

18· 2.9k·20 current·22 all-time
byChristopher Stanley@castanley
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, and search.mjs all consistently implement web and X (Twitter) searches via xAI's Responses API and require an XAI_API_KEY — that capability request is coherent with the claimed purpose. However, the registry metadata shown at the top states "Required env vars: none" while the SKILL.md and code both require XAI_API_KEY. The homepage field is a generic placeholder (github.com/yourusername/...), and the source is listed as unknown, which is inconsistent with the claimed author/owner and reduces trust in provenance.
Instruction Scope
SKILL.md and the included search.mjs confine runtime behavior to sending POSTs to https://api.x.ai/v1/responses with tools of type 'web_search' or 'x_search'. They only reference process.env.XAI_API_KEY and do not read arbitrary system files, other env vars, or send data to unexpected endpoints. The skill returns raw_response and server_side_tool_usage which may expose additional API-returned metadata but that is consistent with a search tool.
Install Mechanism
There is no install spec (instruction-only) and the code file is bundled directly. This minimizes installer risk — nothing is downloaded from external arbitrary URLs and no archives are extracted. The skill will run the included JS when invoked.
Credentials
The only runtime secret required by the code is XAI_API_KEY, which is proportionate for a third-party Grok API integration. However the registry metadata omitted this required env var, which is an inconsistency that could confuse users and automated installers. Ensure the API key is scoped and rotated appropriately; do not reuse high-privilege or long-lived keys.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It does not claim persistent privileges beyond using the provided API key at runtime.
What to consider before installing
What to consider before installing: - Provenance: The package's registry metadata and homepage are inconsistent/placeholder and the source author is 'unknown' — verify the repository and publisher (look for a real GitHub repo, commit history, and a trustworthy owner) before trusting the code or API key. - Required secret: The code requires XAI_API_KEY. Only provide a properly scoped, minimal-privilege API key. Do not reuse credentials that grant access to other services. - Data flow: Queries and any user-provided text/images will be sent to api.x.ai. If users will submit sensitive material, check x.ai's privacy policy and how the API handles retained data. - Returned metadata: The skill returns raw_response and server_side_tool_usage fields; review what those contain in practice to avoid unintentionally exposing internal metadata to end users. - Quick checks to perform: review the repository for additional files, ensure no hidden endpoints or obfuscated code exist, run the code with a test API key in a sandbox, and confirm the endpoint is the official x.ai domain (https://api.x.ai). If anything about the repo or publisher looks incomplete or wrong, prefer not to install until provenance is clarified. - If you want higher assurance: ask the publisher for a canonical repo URL and signed release, or request that the registry metadata be corrected to declare the XAI_API_KEY dependency explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk9738j70g3fmqb9q92xnh3d5gx816jd2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments