ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Grok Research

v1.0.0

Crypto research via Grok model's real-time X/Twitter knowledge. Forwards the user's query as-is to Grok API — no prompt injection, no context bloat. Use when...

0· 733·5 current·6 all-time
bypollo@arespollo

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for arespollo/grok-research.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Grok Research" (arespollo/grok-research) from ClawHub.
Skill page: https://clawhub.ai/arespollo/grok-research
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install grok-research

ClawHub CLI

Package manager switcher

npx clawhub@latest install grok-research
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and SKILL.md align with the stated purpose: it forwards user queries to a remote Grok API and returns the model output. However the description claims 'real-time X/Twitter knowledge' (an external capability of the Grok service) but the skill itself does not access X/Twitter — it only proxies to the ai.a9.bot endpoint. This claim therefore depends entirely on the remote service, not on the skill. Also the top-of-file comment references a different env var name (GROK_API_KEY) than the rest of the repo and SKILL.md (A9_GROK_API_KEY), which is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to forward the user's message 'as-is' to the Grok API and the code does exactly that. That means any prompt-injection content in user input will be forwarded to the external API — the marketing claim 'no prompt injection' is misleading: the skill avoids adding prompts, but does not sanitize or block injected content. The SKILL.md also suggests running the script with bun, but the declared required binaries list is empty (see install mech). The code does not read local files, other env vars, or configurations beyond the API key.
!
Install Mechanism
There is no explicit install spec (instruction-only), which reduces risk, but the script requires the 'bun' runtime (shebang and usage examples). The registry metadata lists no required binaries — that is an inconsistency and may lead to runtime surprises. No external downloads or archives are used.
Credentials
Only a single API credential (A9_GROK_API_KEY) is required, which is proportionate to the stated purpose. Caveat: the source owner and homepage are unknown and the destination host (https://ai.a9.bot) is not documented in registry metadata; supplying your API key will send user queries to that third-party endpoint.
Persistence & Privilege
The skill does not request persistent installation privileges (always:false), does not modify other skills or system settings, and contains no install hooks. It runs as a simple proxy CLI when invoked.
What to consider before installing
This skill will forward whatever the user types to an external API at https://ai.a9.bot/v1 using the A9_GROK_API_KEY you provide — so do not send secrets or sensitive data through it. Confirm the domain and API provider are legitimate before adding your key. The package expects the 'bun' runtime but the registry metadata doesn't declare this; ensure bun is available. Note the SKILL.md claims 'no prompt injection' but the code forwards user input unchanged (it does not sanitize). Also there is a small env-name mismatch in the file comment versus SKILL.md/code (GROK_API_KEY vs A9_GROK_API_KEY). If you need higher assurance, ask the publisher for provenance (source repo/homepage), verify the ai.a9.bot service, and run the script in a controlled environment with a throwaway API key first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c0few14kbgf8cr7b60g1gq181rz4p
733downloads
0stars
1versions
Updated 17h ago
v1.0.0
MIT-0
pollo@arespollo
latest
Download

Grok Research

Forward user's research query directly to Grok API. No extra prompts — what the user says is exactly what Grok receives.

Config

Env var A9_GROK_API_KEY required. API base URL: https://ai.a9.bot/v1 (hardcoded).

Usage

cd ~/.openclaw/workspace/skills/grok-research
bun run grok-research.ts <query>
bun run grok-research.ts --model grok-4.20-beta <query>

Default model: grok-4.20-beta. Another model: --model grok-4.1-thinking.

How to Call

Pass the user's original message as the query. Do not add system prompts or templates — forward as-is.

Example: user says "调研一下代币叙事 $buttcoin Cm6fNnMk..." → bun run grok-research.ts "调研一下代币叙事 $buttcoin Cm6fNnMk..."

Output

  • stdout: Grok's response (forward to user)
  • stderr: status/errors
  • Format for Discord before sending (no markdown tables)

Comments

Loading comments...