grok-ai
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMNO_CODECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [NO_CODE]: The skill frequently references
src/grokIntegration.jsandsrc/threadComposer.jsas the core logic providers, but these files are missing from the provided content, making the actual implementation unverifiable. - [COMMAND_EXECUTION]: The documentation instructs users to "Paste the script -> Enter" into the browser DevTools console on x.com. This pattern of executing unverified JavaScript in a logged-in session is a high-risk vector for session hijacking (Self-XSS) and unauthorized account manipulation.
- [PROMPT_INJECTION]: The skill defines prompt templates that interpolate untrusted data (e.g.,
{niche},{topic},{tweet_text}) directly into the AI context viaXActions.ask(). This creates an indirect prompt injection surface. - Ingestion points: Variable data from tweets or user input is passed to Grok.
- Boundary markers: No delimiters or safety instructions are used to separate user data from the system prompt.
- Capability inventory: The skill possesses DOM scraping and automated submission capabilities.
- Sanitization: No escaping or validation of the interpolated strings is evident.
- [DATA_EXFILTRATION]: The functions
XActions.scrapeResponse()andXActions.export()are designed to read and aggregate data from the X.com DOM, including AI-generated content and potentially private session data, which could be exfiltrated if the missing scripts contain network calls. - [EXTERNAL_DOWNLOADS]: The skill mentions an external "XActions MCP server" and integration with OpenRouter, which introduces third-party dependencies and the requirement for external API keys (
OPENROUTER_API_KEY).
Audit Metadata