xai-grok
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [Unverifiable Dependencies] (MEDIUM): The
requirements.txtfile specifies package versions that do not match current official releases. - Evidence:
typer==0.20.0andxai-sdk==1.3.1are specified. As of the current date, the latest stable version oftyperis 0.12.x, and the officialxai-sdkversions are significantly lower. Providing future-dated or non-existent version numbers is a common indicator of potential dependency confusion attacks. - [Indirect Prompt Injection] (LOW): The skill is designed to ingest and process untrusted data from the internet, creating a vulnerability to indirect prompt injection.
- Ingestion points: The skill utilizes
x_search()(Twitter) andweb_search()to bring external, attacker-controllable content into the model's context. - Boundary markers: Absent. The script appends user queries and tool results without using delimiters or system-level instructions to ignore embedded commands in the retrieved data.
- Capability inventory: The skill includes a
code_executiontool (server-side Python) andweb_searchcapabilities, which could be misused if the model is manipulated by injected instructions. - Sanitization: No sanitization, filtering, or validation is performed on the data returned from X/Twitter or the web before processing.
- [Data Exposure & Exfiltration] (LOW): The skill transmits data to a third-party AI provider (xAI).
- Evidence: User queries and tool results are sent to xAI servers. While necessary for the skill's function, this involves a non-whitelisted external domain and the transmission of potentially sensitive context to a third party.
Audit Metadata