xAI Prepaid Monitor
PassAudited by ClawScan on May 13, 2026.
Overview
This skill is a coherent xAI balance monitor that uses an xAI management key and optional cron alerts, with no hidden or destructive behavior found.
This appears safe for its stated purpose if you are comfortable giving it an xAI management key and running it on a schedule. Store the key securely, verify the cron prompt and alert/task destinations, and remove the cron job and environment variables when you no longer need monitoring.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill requires supplying an xAI management key, which lets the script access billing/prepaid balance information for the configured team.
The script reads an xAI management key and sends it as a bearer token to the xAI Management API. This is purpose-aligned for checking billing balance, but it is still sensitive account authority.
management_key = os.getenv("XAI_MANAGEMENT_KEY") ... "Authorization": f"Bearer {management_key}"Use the least-privileged xAI key available, store it securely as an environment variable, and rotate or remove it if the monitor is no longer needed.
If enabled in a cron or automation workflow, the agent can run the local balance-check script and create a task when credits are low.
The skill explicitly asks the agent to execute the local script and may optionally mutate a task system by creating a follow-up task. This is scoped to the monitor workflow and not hidden.
1. Run the script with `exec` ... 6. Optionally create a follow-up task in the user’s task system
Keep the executed script path fixed, review any alert or task integration before enabling it, and use duplicate-safe task creation as suggested.
A cron setup can keep using the xAI API key and posting alerts on a schedule.
The skill is designed to be used in recurring cron jobs. This is expected for monitoring and is not automatically installed, but users should know scheduled jobs continue until disabled.
Use these as prompt templates for isolated cron jobs. ... Suggested schedule: - once early morning - or twice daily
Only create the cron job intentionally, choose an appropriate schedule, and document how to disable or remove it.
Users relying only on registry metadata may not realize before reading the docs that the skill needs an xAI management key.
The registry metadata does not declare the required xAI environment variables or credential, even though SKILL.md and README.md document them. This is a metadata completeness gap, not hidden behavior in the provided files.
Required env vars: none ... Primary credential: none
The publisher should declare XAI_TEAM_ID and XAI_MANAGEMENT_KEY in metadata; users should review the skill docs before enabling it.