Scan Report
5 /100
xai-studio
xAI Studio — generate and edit images and videos via the xAI API
Legitimate xAI API wrapper for image/video generation with no security concerns. All capabilities match documentation.
Safe to install
This skill is safe to use. No security issues detected.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | _encode_image() reads local files |
| Filesystem | WRITE | WRITE | ✓ Aligned | _prepare_out_dir() creates directories, _save_response() writes files |
| Network | READ | READ | ✓ Aligned | urlretrieve() downloads from user-provided URLs; SDK communicates with xAI API |
| Shell | NONE | NONE | — | No subprocess calls; venv commands are CLI instructions, not executed |
2 findings
Medium External URL 外部 URL
https://openclaw.ai README.md:3 Medium External URL 外部 URL
https://clawhub.ai/H0llyW00dzZ/xai-studio README.md:16 File Tree
3 files · 31.1 KB · 933 lines Python 1f · 648L
Markdown 2f · 285L
├─
▾
scripts
│ └─
run.py
Python
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
xai-sdk | * | pip | No | Official xAI SDK; version unpinned in SKILL.md docs |
Security Positives
✓ All documented features verified in implementation
✓ No credential harvesting - XAI_API_KEY only used through official SDK
✓ No external data exfiltration - only communicates with xAI API
✓ No subprocess or shell execution in code
✓ No obfuscation or suspicious patterns
✓ Standard base64 encoding for API payload handling
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)
✓ Clear separation between documented CLI setup and runtime behavior