Is devvgwardo/grok-imagine-video safe?

https://github.com/openclaw/skills/tree/main/skills/devvgwardo/grok-imagine-video

87
SAFE

The grok-imagine-video skill is a straightforward Python wrapper around xAI's Grok Imagine API with no detected prompt injection, no credential harvesting, and no C2 activity. The only notable findings are an unsanitized output_path parameter in the download methods and inline bash heredoc execution patterns in SKILL.md — both are functional design choices rather than malicious constructs. Credential file accesses observed in monitoring are attributable to SSH/sudo infrastructure activity, confirmed by intact canary hashes. The skill is safe to install with awareness of the download path concern.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (5)

LOW Unsanitized output_path in download methods -10

Both download_video() and download_image() accept an output_path string and pass it directly to os.makedirs() and open(). No path normalization or containment to a safe directory is performed. If an agent can be tricked (via prompt injection in API responses or user input) into providing a path like /home/oc-exec/.ssh/authorized_keys, the skill would overwrite it with binary video/image data.

LOW Inline Python execution via bash heredoc in SKILL.md -15

Every workflow example in SKILL.md instructs the agent to execute Python via python3 - << 'EOF'. While the embedded code is benign, this pattern means the LLM agent runs Python on each feature invocation. A malicious update to SKILL.md could silently introduce harmful code that executes without the user seeing it as a separate script.

LOW Credential file accesses during monitoring window (infrastructure-attributed) -5

The monitoring captured opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at 04:28:11 and 04:28:28. These timestamps correlate with SSH login (sshd, sudo) and the oathe post-install canary verification pass — not with any code in the skill itself. Canary files were confirmed intact. Logged for completeness.

INFO Configurable base_url enables API endpoint redirection -5

GrokImagineVideoClient accepts a base_url constructor parameter defaulting to https://api.x.ai/v1. SKILL.md does not expose this parameter to users, but the Python client supports it. If an attacker gained prompt injection and instructed the agent to initialize the client with a different base_url, all API requests including the Authorization Bearer token would go to the attacker's server.

INFO Clone-time network activity limited to GitHub 0

The only external TCP connection during installation was to 140.82.121.4:443 (a GitHub IP), consistent with the git clone of github.com/openclaw/skills.git. No connections to api.x.ai, no DNS queries for attacker-controlled domains, no unexpected listener ports opened after install.