← Back to Skills Marketplace
741
Downloads
0
Stars
5
Active Installs
1
Versions
Install in OpenClaw
/install grok-research
Description
Crypto research via Grok model's real-time X/Twitter knowledge. Forwards the user's query as-is to Grok API — no prompt injection, no context bloat. Use when...
README (SKILL.md)
Grok Research
Forward user's research query directly to Grok API. No extra prompts — what the user says is exactly what Grok receives.
Config
Env var A9_GROK_API_KEY required. API base URL: https://ai.a9.bot/v1 (hardcoded).
Usage
cd ~/.openclaw/workspace/skills/grok-research
bun run grok-research.ts \x3Cquery>
bun run grok-research.ts --model grok-4.20-beta \x3Cquery>
Default model: grok-4.20-beta. Another model: --model grok-4.1-thinking.
How to Call
Pass the user's original message as the query. Do not add system prompts or templates — forward as-is.
Example: user says "调研一下代币叙事 $buttcoin Cm6fNnMk..."
→ bun run grok-research.ts "调研一下代币叙事 $buttcoin Cm6fNnMk..."
Output
- stdout: Grok's response (forward to user)
- stderr: status/errors
- Format for Discord before sending (no markdown tables)
Usage Guidance
This skill will forward whatever the user types to an external API at https://ai.a9.bot/v1 using the A9_GROK_API_KEY you provide — so do not send secrets or sensitive data through it. Confirm the domain and API provider are legitimate before adding your key. The package expects the 'bun' runtime but the registry metadata doesn't declare this; ensure bun is available. Note the SKILL.md claims 'no prompt injection' but the code forwards user input unchanged (it does not sanitize). Also there is a small env-name mismatch in the file comment versus SKILL.md/code (GROK_API_KEY vs A9_GROK_API_KEY). If you need higher assurance, ask the publisher for provenance (source repo/homepage), verify the ai.a9.bot service, and run the script in a controlled environment with a throwaway API key first.
Capability Analysis
Type: OpenClaw Skill
Name: grok-research
Version: 1.0.0
The skill is suspicious due to a critical vulnerability: the `SKILL.md` instructs the OpenClaw agent to execute `bun run grok-research.ts <query>` where `<query>` is the user's raw input. If the OpenClaw agent does not properly escape this argument before shell execution, it creates a direct path for shell injection, leading to Remote Code Execution (RCE) on the agent's host. Additionally, the `grok-research.ts` script forwards the user's query 'as-is' to the Grok API, which could allow prompt injection against the Grok model itself. While the script itself does not contain malicious code like data exfiltration or backdoors, the method of command execution exposes a significant vulnerability.
Capability Assessment
Purpose & Capability
The skill's code and SKILL.md align with the stated purpose: it forwards user queries to a remote Grok API and returns the model output. However the description claims 'real-time X/Twitter knowledge' (an external capability of the Grok service) but the skill itself does not access X/Twitter — it only proxies to the ai.a9.bot endpoint. This claim therefore depends entirely on the remote service, not on the skill. Also the top-of-file comment references a different env var name (GROK_API_KEY) than the rest of the repo and SKILL.md (A9_GROK_API_KEY), which is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to forward the user's message 'as-is' to the Grok API and the code does exactly that. That means any prompt-injection content in user input will be forwarded to the external API — the marketing claim 'no prompt injection' is misleading: the skill avoids adding prompts, but does not sanitize or block injected content. The SKILL.md also suggests running the script with bun, but the declared required binaries list is empty (see install mech). The code does not read local files, other env vars, or configurations beyond the API key.
Install Mechanism
There is no explicit install spec (instruction-only), which reduces risk, but the script requires the 'bun' runtime (shebang and usage examples). The registry metadata lists no required binaries — that is an inconsistency and may lead to runtime surprises. No external downloads or archives are used.
Credentials
Only a single API credential (A9_GROK_API_KEY) is required, which is proportionate to the stated purpose. Caveat: the source owner and homepage are unknown and the destination host (https://ai.a9.bot) is not documented in registry metadata; supplying your API key will send user queries to that third-party endpoint.
Persistence & Privilege
The skill does not request persistent installation privileges (always:false), does not modify other skills or system settings, and contains no install hooks. It runs as a simple proxy CLI when invoked.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install grok-research - After installation, invoke the skill by name or use
/grok-research - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: forward queries to Grok API for crypto narrative research via real-time X/Twitter data
Metadata
Frequently Asked Questions
What is Grok Research?
Crypto research via Grok model's real-time X/Twitter knowledge. Forwards the user's query as-is to Grok API — no prompt injection, no context bloat. Use when... It is an AI Agent Skill for Claude Code / OpenClaw, with 741 downloads so far.
How do I install Grok Research?
Run "/install grok-research" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Grok Research free?
Yes, Grok Research is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Grok Research support?
Grok Research is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Grok Research?
It is built and maintained by pollo (@arespollo); the current version is v1.0.0.
More Skills