xai-image-gen

clawhub:xai-image-gen

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 4

Findings (5)

MEDIUM

Shell profile modification for persistence EXTDL_005

external-download L40

Detects instructions to modify shell config files for environment persistence

Add to your shell profile (`~/.bashrc`, `~/.zshrc

FIX

Avoid modifying shell profiles (.bashrc, .zshrc, .profile) programmatically. Instruct users to add PATH entries manually, or use a version manager (nvm, pyenv) instead.

FP?

Likely FP if the match is documentation showing how to add a tool to PATH manually, especially if it only appends to PATH without modifying other settings.

LOW

pip install arbitrary package EXTDL_009

external-download L28

Detects pip install of arbitrary packages that modify the host environment

pip3 install re

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

LOW

Shell profile modification for persistence EXTDL_005

external-download L43

Detects instructions to modify shell config files for environment persistence

echo 'export XAI_API_KEY="your-api-key-here"' >> ~/.bashrc

FIX

Avoid modifying shell profiles (.bashrc, .zshrc, .profile) programmatically. Instruct users to add PATH entries manually, or use a version manager (nvm, pyenv) instead.

FP?

Likely FP if the match is documentation showing how to add a tool to PATH manually, especially if it only appends to PATH without modifying other settings.

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L133

Detects URLs fetched at runtime that control or influence agent behavior without pinning

get from https:// + prompt

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.

LOW

pip install arbitrary package EXTDL_009

external-download L152

Detects pip install of arbitrary packages that modify the host environment

pip3 install re

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.