ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xAI / Grok

v1.0.2

Chat with Grok models via xAI API. Supports Grok-3, Grok-3-mini, vision, and more.

15· 10.3k·7 current·8 all-time
by@blueberrywoodsym
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (xAI / Grok) aligns with the included scripts: chat.js, models.js, and search-x.js. Requested binary (node) and primary env var (XAI_API_KEY) are exactly what a client for xAI would need.
Instruction Scope
SKILL.md and the scripts limit behavior to sending prompts/images to api.x.ai and listing models; image uploads are constrained to specific extensions. The scripts do not read arbitrary config files or extra environment variables beyond XAI_API_KEY/XAI_MODEL. There are no instructions to transmit data to endpoints other than api.x.ai.
Install Mechanism
No install spec — code files are bundled and executed via node. No downloads or archive extraction are performed by the skill itself; risk from installation is low.
Credentials
Only XAI_API_KEY (and optional XAI_MODEL) are required. These credentials are proportional and necessary for the described functionality; no unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request always:true and declares disable-model-invocation:true (no autonomous invocation). It does not modify other skills or system-wide config and does not persist credentials itself.
Assessment
This skill appears coherent and limited to acting as an xAI/Grok client. Before installing: (1) confirm you trust the skill source (the repository owner is unknown here); (2) only provide a dedicated xAI API key (avoid reusing broad or admin keys) and consider key rotation; (3) review the bundled scripts yourself if you have doubts — they read any image path you pass (so avoid sending sensitive images); (4) be aware network requests go to api.x.ai (inspect network policy if you require allowlists). If you need autonomous agent invocation, note this skill disables it by default.

Like a lobster shell, security has layers — review code before you run it.

latestvk97emc0103ztnt4nh0x8apndk581jyfx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
Binsnode
EnvXAI_API_KEY
Primary envXAI_API_KEY

Comments