← Back to Skills Marketplace
xAI / Grok
by
blueberrywoodsym
· GitHub ↗
· v1.0.2
11620
Downloads
15
Stars
8
Active Installs
3
Versions
Install in OpenClaw
/install x-ai
Description
Chat with Grok models via xAI API. Supports Grok-3, Grok-3-mini, vision, and more.
Usage Guidance
Install only if you are comfortable sending prompts, system prompts, X search queries, and any selected image files to xAI. Avoid using it with screenshots, documents, photos, or prompts containing secrets, personal data, regulated data, or proprietary information unless that sharing is acceptable.
Capability Analysis
Type: OpenClaw Skill
Name: x-ai
Version: 1.0.2
The skill is classified as suspicious due to a potential arbitrary file read vulnerability in `scripts/chat.js`. The `imageToBase64` function uses `path.resolve` and `fs.readFileSync` on a user-provided image path. While it includes an extension whitelist (e.g., `.jpg`, `.png`), an attacker could potentially craft a path (e.g., `../../../secrets/mykey.png`) to read sensitive files that happen to have an allowed image extension and are accessible via path traversal. This is a vulnerability, not clear malicious intent, as the code's purpose is to facilitate image uploads to the xAI API. No evidence of prompt injection or other malicious behavior was found.
Capability Assessment
Purpose & Capability
The advertised purpose is chatting with Grok, vision analysis, model listing, and X search; the scripts consistently call api.x.ai and use the xAI API key for those functions.
Instruction Scope
The skill is user-invocable and sets disable-model-invocation: true. The trigger 'ask grok' is somewhat broad, but it remains provider-specific and does not by itself show deceptive routing.
Install Mechanism
Installation is a normal ClawHub install or git clone with Node scripts; package metadata has no install hooks or dependency-based execution path.
Credentials
Prompts, system prompts, X search queries, and chosen image files are sent to xAI. SKILL.md discloses this, but README and CLI help could make the third-party upload/privacy point more prominent.
Persistence & Privilege
No persistence, background workers, privilege escalation, broad local indexing, credential harvesting, or writes were found; local file access is limited to the user-supplied image path.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install x-ai - After installation, invoke the skill by name or use
/x-ai - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Added a prominent link to external installation and use instructions at the top of the setup section.
- No changes to functionality or commands; documentation update only.
v1.0.1
- No user-facing changes in this release.
- Documentation, permissions, and usage details remain unchanged.
v1.0.0
- Initial release of the xai skill.
- Chat with Grok models via xAI API, supporting text and vision (image analysis).
- Includes search functionality for real-time X/Twitter posts with citations.
- Supports multiple Grok models including grok-3, grok-3-mini, grok-3-fast, and vision.
- User-invocable only; cannot be called autonomously by agents.
- Simple setup: requires only XAI_API_KEY environment variable.
Metadata
Frequently Asked Questions
What is xAI / Grok?
Chat with Grok models via xAI API. Supports Grok-3, Grok-3-mini, vision, and more. It is an AI Agent Skill for Claude Code / OpenClaw, with 11620 downloads so far.
How do I install xAI / Grok?
Run "/install x-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is xAI / Grok free?
Yes, xAI / Grok is completely free (open-source). You can download, install and use it at no cost.
Which platforms does xAI / Grok support?
xAI / Grok is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created xAI / Grok?
It is built and maintained by blueberrywoodsym (@blueberrywoodsym); the current version is v1.0.2.
More Skills