Is kirillleventcov/grokipedia safe?

https://github.com/openclaw/skills/tree/main/skills/kirillleventcov/grokipedia

83
SAFE

Grokipedia is a functionally straightforward skill for searching and fetching xAI's Grokipedia encyclopedia. No direct prompt injection, credential theft, or malicious code execution was observed. However, two concerns warrant attention: an anomalous .clawhub/lock.json referencing a separate skill 'academic-research-hub' was found inside the skill package (likely an accidental developer artifact but flagged as unusual), and the skill's very broad invocation trigger will routinely send user query data to xAI-operated infrastructure. The primary ongoing risk post-install is that AI-generated article content fetched from grokipedia.com could be used as a prompt injection delivery vehicle.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Anomalous .clawhub/lock.json inside skill package -20

The skill package includes a .clawhub/lock.json file that references another skill ('academic-research-hub', v0.1.0). This file belongs in the user's home directory as a skill registry manifest — it has no legitimate purpose inside a published skill package. Its installedAt timestamp (1770957475341) post-dates the skill's latest published version (1770921698996), indicating it was committed from a developer's active environment. While likely accidental, it could confuse openclaw's skill management or signal the presence of a related dependency skill.

MEDIUM Overly broad trigger sends wide range of user queries to xAI-owned service -25

The skill's trigger condition ('Use when asked about topics that might have a Grokipedia article') is extremely permissive and could cause the skill to be invoked for almost any factual query. Every invocation sends the user's search term to grokipedia.com/api/typeahead, an xAI-operated endpoint. This creates a persistent data channel where user interests and query patterns are transmitted to xAI's infrastructure without explicit user consent for each query.

LOW Fetched AI-generated content creates secondary prompt injection surface -12

The skill fetches article content from grokipedia.com, which is AI-generated by Grok (xAI's model), and returns it verbatim to the LLM. Adversarially crafted articles on grokipedia.com could embed prompt injection instructions that would be executed in the agent's context. This is a supply-chain injection risk via trusted-looking encyclopedia content rather than direct skill-level injection.

LOW fetch.mjs --raw flag exposes full HTML to LLM -10

The fetch script supports a --raw flag that returns raw HTML instead of Readability-extracted markdown. Raw HTML contains significantly more content including scripts, metadata, and potential injection vectors compared to the clean markdown output.

INFO Network access to xAI infrastructure is declared but privacy-relevant -5

The skill correctly declares its network access in SKILL.md. All network calls go to grokipedia.com only. No undeclared external endpoints were contacted. However, users should understand that Grokipedia is operated by xAI and all search queries become visible to that organization.

INFO All canary files intact — no credential exfiltration detected 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed only by the oathe audit infrastructure at pre- and post-install checkpoints. The skill itself made no attempt to read credential files.