ClawAudit verdict

grok-imagine-image-pro

88
🟒 Trusted
Low risk β€” reviewed by ClawAudit, behavior matches stated purpose

Reads files, encodes data, AND makes external network calls

Image generation skill that uses XAI_API_KEY to call xAI's documented image generation API and saves output locally under ~/.openclaw/media/; all operations are consistent with the stated image generation purpose.

Automated static analysis β€” not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

0
security
60
transparency
70
maintenance

What it does

These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence β€” it does not verify that one flows into another. Read the code to confirm a live chain.

Capability combination critical

Reads files, encodes data, AND makes external network calls β€” the obfuscated-exfiltration pattern (data-flow not verified)

LLM02 Β· ASI03

Capability combination high

Reads local files AND makes external network calls β€” the capabilities for data exfiltration co-occur (data-flow not verified)

LLM02 Β· LLM06 Β· ASI03

Capability combination high

Accesses credentials AND makes external network calls β€” potential credential theft

LLM02 Β· ASI03

Capability combination high

Accesses credentials AND encodes data β€” may obfuscate stolen credentials

LLM02 Β· ASI03 Β· ASI04

Permission integrity

Performs file operations but does not declare file-accessing binaries

file_read

Findings (1)

Pattern match critical

Pipe to python β€” executes piped content as Python code

SKILL.md Β· code Β· | python3

Permissions & capabilities

Requires 1 environment variable. (1 sensitive: XAI_API_KEY). Requires 2 system binaries. (1 elevated: curl).

network_outfile_readcredential_accessdata_encoding
Check another skill Browse the registry Auditing your own skills or configs? Use the API