← 返回 Skills 市场
Wip Xai Grok Private
作者
Parker Todd Brooks
· GitHub ↗
· v1.0.3
· MIT-0
271
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wip-xai-grok
功能描述
xAI Grok API. Search the web, search X, generate images, generate video.
安全使用建议
This package implements the claimed Grok features, but there are a few red flags to consider before installing:
- The registry metadata does NOT declare that the skill needs XAI_API_KEY or the 1Password (op) CLI, yet SKILL.md and core.mjs expect XAI_API_KEY and call 'op read'. Confirm you are comfortable granting the skill access to that API key and that the 'op' binary (if present) is safe to use.
- core.mjs uses child_process.execSync('op read ...') and will run that CLI on your system if the env var is missing. If you do not want third-party code to invoke local CLIs, do not install/run this skill or inspect and remove the fallback before use.
- The edit_image function reads local files (readFileSync) when given a file path and can base64-encode them for upload. Do not pass sensitive filesystem paths to this skill; audit the code if you plan to allow user-controlled file paths.
- package.json and package-lock.json show many npm dependencies; install in a sandbox or verify dependency integrity (e.g., audit lockfile) before running in production.
Recommendations:
1) Ask the publisher to update registry metadata to declare required env vars (XAI_API_KEY) and required binaries ('op' if relying on 1Password CLI). 2) If you plan to use it, run it in an isolated environment (container) and inspect or remove the execSync fallback if you don't want CLI access. 3) Verify the API key scope and rotate it if you test in a shared environment. 4) If you need higher assurance, request a signed release or a reproducible build and review the package-lock dependencies.
功能分析
Type: OpenClaw Skill
Name: wip-xai-grok
Version: 1.0.3
The skill bundle is a legitimate integration for the xAI Grok API, providing tools for web search, X (Twitter) search, and media generation. It includes a CLI, an MCP server, and clear instructions for AI agents in SKILL.md. The code in core.mjs features an automated credential retrieval mechanism that attempts to read the xAI API key from 1Password using the 'op' CLI via execSync; while execSync is a high-risk primitive, its usage here is constrained to a hardcoded 1Password path and serves the stated purpose of secure secret management. All external communication is directed to the official xAI API (api.x.ai), and no evidence of data exfiltration or malicious prompt injection was found.
能力评估
Purpose & Capability
The code implements web/X search and image/video generation consistent with the description and uses xAI endpoints (https://api.x.ai). However the skill relies on an XAI_API_KEY (documented in SKILL.md and used by core.mjs) and on the ability to call the 1Password CLI as a fallback; those runtime requirements are not reflected in the registry metadata (which lists no required env vars or binaries). The dependency on @modelcontextprotocol/sdk for the MCP server is expected for an MCP interface.
Instruction Scope
SKILL.md and README instruct use of XAI_API_KEY and 1Password (op://...). The runtime code executes an external command via execSync('op read ...') to fetch a secret from 1Password and reads local files when edit_image is used (readFileSync). That means at runtime the skill will attempt to invoke a system binary and read local files; those actions go beyond simple HTTP calls and are not declared in the registry metadata.
Install Mechanism
There is no install spec in the registry, but package.json and package-lock.json are present and declare dependencies (notably @modelcontextprotocol/sdk and its transitive deps). Installation will pull numerous npm packages (moderate risk surface). There are no downloads from untrusted URLs or extract steps in the provided manifest.
Credentials
The code requires an XAI_API_KEY (used in Authorization headers) and will try to read it from 1Password via the 'op' CLI if the env var is absent. The registry metadata did not list XAI_API_KEY or any required binaries. Apart from the single API key, no unrelated credentials are requested, but the use of the 1Password CLI implies access to local secret storage—this should be explicitly declared and reviewed.
Persistence & Privilege
The skill is not force-installed (always: false), does not request permanent platform-wide privileges, and does not modify other skills or global agent configuration. Running the MCP server is optional and only exposes the tool interfaces if the operator runs it.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wip-xai-grok - 安装完成后,直接呼叫该 Skill 的名称或使用
/wip-xai-grok触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
# wip-xai-grok v1.0.3
Fix: add @modelcontextprotocol/sdk to dependencies. MCP server was failing with ERR_MODULE_NOT_FOUND when deployed via ldm install.
## Issues closed
- Closes #8
元数据
常见问题
Wip Xai Grok Private 是什么?
xAI Grok API. Search the web, search X, generate images, generate video. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 271 次。
如何安装 Wip Xai Grok Private?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wip-xai-grok」即可一键安装,无需额外配置。
Wip Xai Grok Private 是免费的吗?
是的,Wip Xai Grok Private 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Wip Xai Grok Private 支持哪些平台?
Wip Xai Grok Private 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Wip Xai Grok Private?
由 Parker Todd Brooks(@parkertoddbrooks)开发并维护,当前版本 v1.0.3。
推荐 Skills