← Back to Skills Marketplace
Wip Xai Grok Private
by
Parker Todd Brooks
· GitHub ↗
· v1.0.3
· MIT-0
271
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install wip-xai-grok
Description
xAI Grok API. Search the web, search X, generate images, generate video.
Usage Guidance
This package implements the claimed Grok features, but there are a few red flags to consider before installing:
- The registry metadata does NOT declare that the skill needs XAI_API_KEY or the 1Password (op) CLI, yet SKILL.md and core.mjs expect XAI_API_KEY and call 'op read'. Confirm you are comfortable granting the skill access to that API key and that the 'op' binary (if present) is safe to use.
- core.mjs uses child_process.execSync('op read ...') and will run that CLI on your system if the env var is missing. If you do not want third-party code to invoke local CLIs, do not install/run this skill or inspect and remove the fallback before use.
- The edit_image function reads local files (readFileSync) when given a file path and can base64-encode them for upload. Do not pass sensitive filesystem paths to this skill; audit the code if you plan to allow user-controlled file paths.
- package.json and package-lock.json show many npm dependencies; install in a sandbox or verify dependency integrity (e.g., audit lockfile) before running in production.
Recommendations:
1) Ask the publisher to update registry metadata to declare required env vars (XAI_API_KEY) and required binaries ('op' if relying on 1Password CLI). 2) If you plan to use it, run it in an isolated environment (container) and inspect or remove the execSync fallback if you don't want CLI access. 3) Verify the API key scope and rotate it if you test in a shared environment. 4) If you need higher assurance, request a signed release or a reproducible build and review the package-lock dependencies.
Capability Analysis
Type: OpenClaw Skill
Name: wip-xai-grok
Version: 1.0.3
The skill bundle is a legitimate integration for the xAI Grok API, providing tools for web search, X (Twitter) search, and media generation. It includes a CLI, an MCP server, and clear instructions for AI agents in SKILL.md. The code in core.mjs features an automated credential retrieval mechanism that attempts to read the xAI API key from 1Password using the 'op' CLI via execSync; while execSync is a high-risk primitive, its usage here is constrained to a hardcoded 1Password path and serves the stated purpose of secure secret management. All external communication is directed to the official xAI API (api.x.ai), and no evidence of data exfiltration or malicious prompt injection was found.
Capability Assessment
Purpose & Capability
The code implements web/X search and image/video generation consistent with the description and uses xAI endpoints (https://api.x.ai). However the skill relies on an XAI_API_KEY (documented in SKILL.md and used by core.mjs) and on the ability to call the 1Password CLI as a fallback; those runtime requirements are not reflected in the registry metadata (which lists no required env vars or binaries). The dependency on @modelcontextprotocol/sdk for the MCP server is expected for an MCP interface.
Instruction Scope
SKILL.md and README instruct use of XAI_API_KEY and 1Password (op://...). The runtime code executes an external command via execSync('op read ...') to fetch a secret from 1Password and reads local files when edit_image is used (readFileSync). That means at runtime the skill will attempt to invoke a system binary and read local files; those actions go beyond simple HTTP calls and are not declared in the registry metadata.
Install Mechanism
There is no install spec in the registry, but package.json and package-lock.json are present and declare dependencies (notably @modelcontextprotocol/sdk and its transitive deps). Installation will pull numerous npm packages (moderate risk surface). There are no downloads from untrusted URLs or extract steps in the provided manifest.
Credentials
The code requires an XAI_API_KEY (used in Authorization headers) and will try to read it from 1Password via the 'op' CLI if the env var is absent. The registry metadata did not list XAI_API_KEY or any required binaries. Apart from the single API key, no unrelated credentials are requested, but the use of the 1Password CLI implies access to local secret storage—this should be explicitly declared and reviewed.
Persistence & Privilege
The skill is not force-installed (always: false), does not request permanent platform-wide privileges, and does not modify other skills or global agent configuration. Running the MCP server is optional and only exposes the tool interfaces if the operator runs it.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wip-xai-grok - After installation, invoke the skill by name or use
/wip-xai-grok - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
# wip-xai-grok v1.0.3
Fix: add @modelcontextprotocol/sdk to dependencies. MCP server was failing with ERR_MODULE_NOT_FOUND when deployed via ldm install.
## Issues closed
- Closes #8
Metadata
Frequently Asked Questions
What is Wip Xai Grok Private?
xAI Grok API. Search the web, search X, generate images, generate video. It is an AI Agent Skill for Claude Code / OpenClaw, with 271 downloads so far.
How do I install Wip Xai Grok Private?
Run "/install wip-xai-grok" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Wip Xai Grok Private free?
Yes, Wip Xai Grok Private is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Wip Xai Grok Private support?
Wip Xai Grok Private is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Wip Xai Grok Private?
It is built and maintained by Parker Todd Brooks (@parkertoddbrooks); the current version is v1.0.3.
More Skills