grok-ai

This skill is a browser-console automation/integration for X's Grok AI that, in its documented form, provides plausible and useful automation features (sending prompts, scraping responses, batch workflows, image generation). The primary security concern is the delivery/execution model: instructing users to paste and run JavaScript in the browser DevTools exposes the user's authenticated session and makes credential exposure, account takeover, and data exfiltration straightforward if the script is modified or supplied by an attacker. The MCP/OpenRouter alternative introduces further risk because it requires an API key and implies networked processing without clear endpoint or privacy guarantees. Overall, I did not find explicit malicious code in the provided documentation fragment, but the combination of console-paste execution, UI automation capable of posting on behalf of the user, scraping of potentially sensitive DOM content, and unclear network/data flows constitutes a moderate-to-high supply-chain and privacy risk. Users should avoid pasting unreviewed scripts into their browser, ensure any MCP/OpenRouter traffic is local or to trusted endpoints, and require explicit per-action approval before posting content. Review and vet any actual script source code before running it in an authenticated session.