← Back to Skills Marketplace

xenodia

Name: xenodia
Author: xenodiaofficial

by XENODIA · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

402

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install xenodia

Description

Enables this agent to authenticate with and use the Xenodia Multimodal AI Gateway. Covers two wallet identity modes (local keypair OR CDP Server Wallet), bal...

Usage Guidance

This package appears to be a legitimate Xenodia gateway client, but take these precautions before installing or enabling it: - Metadata mismatch: The registry metadata says there are no required environment variables, but CDP mode requires three sensitive Coinbase CDP values (CDP_API_KEY_ID, CDP_API_KEY_SECRET, CDP_WALLET_SECRET). Ask the publisher to fix the metadata or verify why it's omitted. - Secrets handling: Do NOT paste high-value secrets into ~/.zshrc unless you understand the risk. Storing API secrets or wallet secrets in a shell rc file leaves them in plain text accessible to any process that can read your shell files. Prefer a secure secret store (OS keyring, credential manager) or a file with restricted permissions. - Local private key: Local mode writes an unencrypted private key to .xenodia_agent_key. Only use local key mode if you accept storing the raw private key on disk; otherwise use CDP/MPC mode. - Verify endpoints and code: The scripts contact XENODIA_BASE_URL (default https://api.xenodia.xyz). Confirm that is the intended gateway. If you do not trust the Xenodia service or the skill source, do not provide credentials. - Limit exposure: If you must use this skill, avoid giving it autonomous privilege (or at least review/approve any actions that persist credentials). Consider running the scripts manually in an isolated environment rather than granting the agent automatic invocation. If you want, I can: (1) point out the exact lines where secrets are read/written, (2) produce a safer alternative for persisting credentials (restricted file with 600 permissions or keyring use), or (3) draft questions to ask the skill publisher to resolve the metadata mismatch.

Capability Analysis

Type: OpenClaw Skill Name: xenodia Version: 1.0.0 The skill is classified as suspicious due to two significant vulnerabilities related to sensitive credential handling and persistence. Firstly, the `SKILL.md` explicitly instructs the AI agent to persist sensitive Coinbase CDP API keys and wallet secrets in plaintext within the user's `~/.zshrc` file. This makes these critical credentials broadly available in every new shell session, significantly increasing their exposure. Secondly, the `xenodia_client.py` script stores the agent's local EVM private key in a plaintext file named `.xenodia_agent_key` within the skill's directory. While these actions are for the agent's stated functionality and convenience, storing private keys and API secrets in plaintext files and shell configuration files without explicit security measures (like restrictive file permissions) constitutes a high-risk vulnerability, even if not directly malicious in intent.

Capability Assessment

ℹ Purpose & Capability

The name/description (Xenodia gateway client) lines up with the included Python clients for local keypair and Coinbase CDP wallet modes. The client code only talks to the Xenodia API (XENODIA_BASE_URL) and to the Coinbase CDP SDK in CDP mode, which is consistent with the stated purpose. However the registry metadata claims there are no required env vars or credentials, while SKILL.md and the CDP client require multiple CDP environment variables for CDP mode — this metadata mismatch should be resolved.

⚠ Instruction Scope

SKILL.md instructs the agent (and the user) to request and accept sensitive values (CDP_API_KEY_ID, CDP_API_KEY_SECRET, CDP_WALLET_SECRET) from the owner and then to append them into ~/.zshrc for persistence. It also instructs generating and storing an unencrypted local private key file (.xenodia_agent_key). Asking an agent to write secrets into a shell rc file and to store raw private keys is scope-creep relative to just 'use the gateway' and increases exposure risk.

✓ Install Mechanism

There is no remote install/download; the skill is instruction + included Python scripts. It asks the user to pip-install cdp-sdk and requests in CDP mode, which is a typical mechanism and not unusual. No arbitrary download URLs or archive extraction are present.

⚠ Credentials

The CDP mode legitimately requires CDP_API_KEY_ID, CDP_API_KEY_SECRET, and CDP_WALLET_SECRET (and optionally CDP_WALLET_NAME). These environment variables are necessary for Coinbase CDP operation. But the skill registry metadata lists no required env vars — an inconsistency. Also the instructions push storing these high-value secrets in ~/.zshrc (plain text), which is disproportionate from a security standpoint; a safer approach (OS keyring, restricted file with proper permissions, or not persisting at all) would be preferable.

⚠ Persistence & Privilege

The skill's scripts will create/modify files: .xenodia_agent_key in the skill folder (local private key) and SKILL.md explicitly instructs appending secrets to ~/.zshrc. While the skill does not request 'always: true' or modify other skills, the instructions ask the agent to persist credentials into a user shell config and to write unencrypted private keys to disk, which increases long-term exposure and is a meaningful privilege to be aware of.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install xenodia
After installation, invoke the skill by name or use /xenodia
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of the Xenodia skill — connect to the Xenodia Multimodal AI Gateway using EVM wallet identities. - Supports both Local Keypair and Coinbase CDP Server Wallet authentication modes. - Enables wallet balance checks, model availability queries, and switching LLM provider to Xenodia. - Provides step-by-step setup instructions for both authentication modes. - Includes troubleshooting guidance for common errors. - Example helper scripts: `xenodia_client.py` (local) and `xenodia_cdp_client.py` (CDP). - Allows generation of static API keys for integrating with third-party tools.

Metadata

Slug xenodia

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is xenodia?

Enables this agent to authenticate with and use the Xenodia Multimodal AI Gateway. Covers two wallet identity modes (local keypair OR CDP Server Wallet), bal... It is an AI Agent Skill for Claude Code / OpenClaw, with 402 downloads so far.

How do I install xenodia?

Run "/install xenodia" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is xenodia free?

Yes, xenodia is completely free (open-source). You can download, install and use it at no cost.

Which platforms does xenodia support?

xenodia is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created xenodia?

It is built and maintained by XENODIA (@xenodiaofficial); the current version is v1.0.0.

More Skills