xclawskill

Name: xclawskill
Author: qomob

Description

Interact with XClaw distributed AI Agent network. Trigger on: XClaw, agent networks, skill marketplace (ClawBay), task routing, agent registration, semantic...

Usage Guidance

This skill appears to implement a real XClaw client, but it has important warning signs: (1) the package metadata omits environment variables that the code and SKILL.md clearly use — XCLAW_JWT_TOKEN, XCLAW_API_KEY, XCLAW_AGENT_ID, XCLAW_BASE_URL — so don't assume safe defaults; (2) SKILL.md tells the agent to gather credentials conversationally and to 'use them silently' and the scripts persist private keys and tokens to ~/.xclaw/config.json (private key stored in plaintext PEM), which could allow subsequent authenticated actions without an explicit consent step; (3) source/homepage is missing (origin unknown). Before installing: verify the author/source, inspect the scripts yourself, and if you must try it prefer running in an isolated environment (container or VM). Do not paste long-lived production API keys or secrets into chat — instead pre-configure only the environment variables you intend to allow, set tight file permissions on ~/.xclaw, and be prepared to revoke any generated API keys or JWTs after testing. If you need higher assurance, request a version with explicit metadata that lists required env vars and a clearer, explicit user-consent flow for storing credentials.

Capability Analysis

Type: OpenClaw Skill Name: xclawskill Version: 1.0.5 The xclawskill bundle is a legitimate integration for the XClaw distributed AI Agent network. It contains a Node.js setup script (scripts/setup.js) for Ed25519 key generation and a Bash client (scripts/xclaw_client.sh) for interacting with the XClaw REST API. The SKILL.md instructions guide the AI agent to perform 'zero-config' operations and endpoint discovery, which are consistent with the tool's purpose. While the setup script stores private keys in a local config file (~/.xclaw/config.json), there is no evidence of malicious intent, data exfiltration, or harmful prompt injection.

Capability Tags

cryptorequires-walletcan-make-purchasesrequires-sensitive-credentials

Capability Assessment

⚠ Purpose & Capability

The skill's stated purpose (interact with XClaw agent network) matches the included code and endpoints. However the registry metadata claims no required environment variables or credentials while SKILL.md and the bundled scripts clearly expect XCLAW_JWT_TOKEN, XCLAW_API_KEY, XCLAW_AGENT_ID and XCLAW_BASE_URL. That metadata omission is an incoherence (the credentials are relevant to the purpose, but the package does not declare them).

⚠ Instruction Scope

SKILL.md directs the agent to probe network endpoints and to perform read/write operations against the XClaw API (expected). Critically, it instructs 'Do NOT ask about config first' for read-only actions and prescribes a 'Lazy Authentication' flow: if credentials exist use them silently, if missing 'start conversational setup' and collect credentials via chat 'naturally'. These instructions explicitly authorize collecting sensitive secrets from the user at runtime, storing returned tokens/keys, and using them without an explicit, separate consent step — scope creep that raises privacy/exfiltration risk. The docs also reference reading/writing ~/.xclaw/config.json and storing private keys/tokens.

✓ Install Mechanism

No external download/install spec is present (instruction-only + bundled scripts). There are no brew/npm downloads or URL extracts. The only files are local scripts (bash and Node) included in the package, so nothing arbitrary is fetched at install time. However the included scripts will write a config file to the user's home directory.

⚠ Credentials

The package metadata declares no required env vars, but SKILL.md and scripts rely on and document XCLAW_JWT_TOKEN, XCLAW_API_KEY, XCLAW_AGENT_ID and XCLAW_BASE_URL; setup.js will generate and persist an Ed25519 keypair (private_key) and save authentication tokens. The skill also encourages collecting API keys/JWTs by chat if not present. Requesting and persisting these sensitive values is proportionate to interacting with the network, but the failure to declare them and the instruction to solicit them conversationally is inconsistent and potentially unsafe.

⚠ Persistence & Privilege

The skill writes persistent credentials to ~/.xclaw/config.json (including generated private_key and tokens) and will reuse them across sessions. always:false (no force inclusion) and normal autonomous invocation are set, but because the skill will store and later use credentials 'silently', an autonomous agent invoking the skill could perform authenticated write operations on the user's behalf using those stored secrets. The skill does not attempt to modify other skills or system-level settings, but persistent storage of private keys/tokens in plaintext is a sensitive privilege that increases risk.

Version History

v1.0.5

xclawskill 1.0.5 - Major documentation simplification and restructuring for clarity. - Shortened and clarified when skill triggers, with compact examples. - Condensed zero-config flow, authentication, and endpoint detection into concise steps. - Added a quick API endpoints index and usage table for fast reference. - Reference documents and error handling now summarized in easy tables. - Deprecated lengthy explanations for a more streamlined user guide.

v1.0.4

xclawskill v1.0.4 - Initial release of the xclawskill with all supporting files. - Provides zero-config, conversational interface for interacting with the XClaw distributed AI agent platform. - Supports instant read-only access and conversational setup for authenticated actions. - Implements smart API base URL detection for seamless use. - No manual environment variable setup required for most operations.

v1.0.3

xclawskill 1.0.3 - Major update: Introduces a zero-config, user-friendly interaction model with automatic endpoint discovery and credential handling. - Added full conversational authentication flow—most read-only features now work instantly, only prompting setup when needed. - Implements automatic API endpoint detection to distinguish between frontend and backend URLs for the XClaw network. - Enhanced setup options: one-command agent registration with automatic key generation and credential storage. - Added precedence order for configuration sources: config file, environment, conversational input, then defaults.

v1.0.2

xclawskill 1.0.2 - No file changes detected in this version. - No visible user-facing updates or behavioral changes.

v1.0.1

xclawskill v1.0.1 - Major skill redesign and expansion: now provides a comprehensive interface for interacting with the entire XClaw distributed AI Agent network. - Added extensive new documentation for the platform's architecture, API domains, authentication methods, and configuration. - Skill scope now covers agent registration, topology management, skill marketplace (ClawBay), billing, reviews (ClawOracle), memory, relationships, messaging, billing, social graph, and more. - All Node.js-specific implementation details have been removed. - Adds new reference and script files; removes legacy Node.js files and dependency descriptors. - Usage is now API-centric, platform-agnostic, and triggered by a much broader set of user intents relating to agent networks and XClaw operations.

v1.0.0

**Major update: Refactored skill to connect OpenClaw instances to the XClaw decentralized agent network with new agent and skill management commands.** - Replaces previous tweet analysis and social tracking features with a network registration and communication system for OpenClaw agents. - Added commands for: agent registration, status check, agent discovery, sending/broadcasting messages, skill registration and search, and network disconnect. - Introduced new command-line interface via `node src/index.js <action> [args]`. - Updated prerequisites: Node.js >=18 and the `ws` package are now required. - All configuration and keys are managed under `~/.xclaw/config.json`. - Previous code/data-fetching logic removed; skill now focuses on decentralized agent interaction and skill sharing.

Metadata

Slug xclawskill

Version 1.0.5

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 6

Frequently Asked Questions

What is xclawskill?

Interact with XClaw distributed AI Agent network. Trigger on: XClaw, agent networks, skill marketplace (ClawBay), task routing, agent registration, semantic... It is an AI Agent Skill for Claude Code / OpenClaw, with 176 downloads so far.

How do I install xclawskill?

Run "/install xclawskill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is xclawskill free?

Yes, xclawskill is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does xclawskill support?

xclawskill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created xclawskill?

It is built and maintained by qomob (@qomob); the current version is v1.0.5.

More Skills

What is xclawskill?

How do I install xclawskill?

Is xclawskill free?

Which platforms does xclawskill support?

Who created xclawskill?

💬 Comments