← 返回 Skills 市场
741
总下载
0
收藏
5
当前安装
1
版本数
在 OpenClaw 中安装
/install grok-research
功能描述
Crypto research via Grok model's real-time X/Twitter knowledge. Forwards the user's query as-is to Grok API — no prompt injection, no context bloat. Use when...
使用说明 (SKILL.md)
Grok Research
Forward user's research query directly to Grok API. No extra prompts — what the user says is exactly what Grok receives.
Config
Env var A9_GROK_API_KEY required. API base URL: https://ai.a9.bot/v1 (hardcoded).
Usage
cd ~/.openclaw/workspace/skills/grok-research
bun run grok-research.ts \x3Cquery>
bun run grok-research.ts --model grok-4.20-beta \x3Cquery>
Default model: grok-4.20-beta. Another model: --model grok-4.1-thinking.
How to Call
Pass the user's original message as the query. Do not add system prompts or templates — forward as-is.
Example: user says "调研一下代币叙事 $buttcoin Cm6fNnMk..."
→ bun run grok-research.ts "调研一下代币叙事 $buttcoin Cm6fNnMk..."
Output
- stdout: Grok's response (forward to user)
- stderr: status/errors
- Format for Discord before sending (no markdown tables)
安全使用建议
This skill will forward whatever the user types to an external API at https://ai.a9.bot/v1 using the A9_GROK_API_KEY you provide — so do not send secrets or sensitive data through it. Confirm the domain and API provider are legitimate before adding your key. The package expects the 'bun' runtime but the registry metadata doesn't declare this; ensure bun is available. Note the SKILL.md claims 'no prompt injection' but the code forwards user input unchanged (it does not sanitize). Also there is a small env-name mismatch in the file comment versus SKILL.md/code (GROK_API_KEY vs A9_GROK_API_KEY). If you need higher assurance, ask the publisher for provenance (source repo/homepage), verify the ai.a9.bot service, and run the script in a controlled environment with a throwaway API key first.
功能分析
Type: OpenClaw Skill
Name: grok-research
Version: 1.0.0
The skill is suspicious due to a critical vulnerability: the `SKILL.md` instructs the OpenClaw agent to execute `bun run grok-research.ts <query>` where `<query>` is the user's raw input. If the OpenClaw agent does not properly escape this argument before shell execution, it creates a direct path for shell injection, leading to Remote Code Execution (RCE) on the agent's host. Additionally, the `grok-research.ts` script forwards the user's query 'as-is' to the Grok API, which could allow prompt injection against the Grok model itself. While the script itself does not contain malicious code like data exfiltration or backdoors, the method of command execution exposes a significant vulnerability.
能力评估
Purpose & Capability
The skill's code and SKILL.md align with the stated purpose: it forwards user queries to a remote Grok API and returns the model output. However the description claims 'real-time X/Twitter knowledge' (an external capability of the Grok service) but the skill itself does not access X/Twitter — it only proxies to the ai.a9.bot endpoint. This claim therefore depends entirely on the remote service, not on the skill. Also the top-of-file comment references a different env var name (GROK_API_KEY) than the rest of the repo and SKILL.md (A9_GROK_API_KEY), which is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to forward the user's message 'as-is' to the Grok API and the code does exactly that. That means any prompt-injection content in user input will be forwarded to the external API — the marketing claim 'no prompt injection' is misleading: the skill avoids adding prompts, but does not sanitize or block injected content. The SKILL.md also suggests running the script with bun, but the declared required binaries list is empty (see install mech). The code does not read local files, other env vars, or configurations beyond the API key.
Install Mechanism
There is no explicit install spec (instruction-only), which reduces risk, but the script requires the 'bun' runtime (shebang and usage examples). The registry metadata lists no required binaries — that is an inconsistency and may lead to runtime surprises. No external downloads or archives are used.
Credentials
Only a single API credential (A9_GROK_API_KEY) is required, which is proportionate to the stated purpose. Caveat: the source owner and homepage are unknown and the destination host (https://ai.a9.bot) is not documented in registry metadata; supplying your API key will send user queries to that third-party endpoint.
Persistence & Privilege
The skill does not request persistent installation privileges (always:false), does not modify other skills or system settings, and contains no install hooks. It runs as a simple proxy CLI when invoked.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install grok-research - 安装完成后,直接呼叫该 Skill 的名称或使用
/grok-research触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: forward queries to Grok API for crypto narrative research via real-time X/Twitter data
元数据
常见问题
Grok Research 是什么?
Crypto research via Grok model's real-time X/Twitter knowledge. Forwards the user's query as-is to Grok API — no prompt injection, no context bloat. Use when... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 741 次。
如何安装 Grok Research?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install grok-research」即可一键安装,无需额外配置。
Grok Research 是免费的吗?
是的,Grok Research 完全免费(开源免费),可自由下载、安装和使用。
Grok Research 支持哪些平台?
Grok Research 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Grok Research?
由 pollo(@arespollo)开发并维护,当前版本 v1.0.0。
推荐 Skills