← Back to Skills Marketplace
pbjhsu

XO Protocol

by pbjhsu · GitHub ↗ · v2.0.0 · MIT-0
cross-platform ⚠ suspicious
255
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install xo-protocol
Description
Dating intelligence API — identity verification, compatibility scoring, reputation, and social signals via XO Protocol. The social passport for AI agents.
Usage Guidance
This package generally looks like what it claims (an SDK + MCP server for a dating-trust API), but there are important mismatches and operational risks to consider: - Metadata mismatch: the skill registry lists no required environment variables, yet the SKILL.md and the MCP server require XO_API_KEY and XO_ACCESS_TOKEN. Treat that as a transparency red flag and ask the publisher to correct the manifest. - Secrets exposure: the recommended integration stores XO_API_KEY and XO_ACCESS_TOKEN in your AI client's MCP config (~/.claude/mcp_servers.json). That file grants the local MCP process (and therefore any agent tooling that talks to it) access to your keys. Only use tokens with the minimal scopes needed, rotate them regularly, and consider running the MCP server in an isolated account or environment. - Source verification: SKILL.md and README point to a GitHub repository and xoxo.space domains, but the skill source in the registry is 'unknown'. Before installing or adding the MCP server, verify the upstream GitHub repo, check commit history and releases, and confirm the domain(s) (protocol.xoxo.space, xoxo.space) are legitimate and match the organization you expect. - Client secrets: examples show using client_secret for confidential OAuth flows. Never embed long-lived client secrets or private keys in public repos or in shared config files. Use PKCE for public clients where possible. If you cannot verify the package source and the domain ownership, or you are uncomfortable storing tokens in your AI client's config, do not install/run this MCP server. If you proceed, limit token scopes, run in an isolated environment, and audit network connections and logs.
Capability Analysis
Type: OpenClaw Skill Name: xo-protocol Version: 2.0.0 The xo-protocol skill bundle provides a legitimate integration for a dating intelligence API, offering tools for identity verification, reputation scoring, and social signals. The code consists of a standard JavaScript SDK (sdk/index.js), an MCP server for AI agents (examples/mcp-server.js), and clear documentation (SKILL.md, README.md) that emphasizes privacy through OAuth authorization and ephemeral user IDs. No evidence of data exfiltration, malicious execution, or prompt injection was found; the bundle follows established security patterns for API-based services.
Capability Assessment
Purpose & Capability
Files (SDK, examples, OpenAPI) match the described purpose (identity verification, reputation, compatibility). Requiring an API key and a user JWT (XO_API_KEY, XO_ACCESS_TOKEN) is coherent for this API. However, the registry metadata claims no required environment variables while the SKILL.md and mcp-server example explicitly require XO_API_KEY and XO_ACCESS_TOKEN — an inconsistency that should be resolved before trusting the package.
Instruction Scope
SKILL.md instructs running an MCP server and adding a local entry to an AI client's config (~/.claude/mcp_servers.json) with environment variables. Those instructions are within scope for exposing an API to agents, but they explicitly require placing secrets (API key/JWT) into the agent configuration which gives the local MCP process access to those tokens. The instructions do not ask to read unrelated system files or exfiltrate data, but granting the MCP server these tokens effectively gives any agent-bound tooling that can call the server access to the user's API/JWT — exercise caution.
Install Mechanism
There is no automated install spec in the registry (instruction-only install). The SKILL.md suggests git-clone of a GitHub repo and using npm to install a known SDK; the code shipped with the skill mirrors a normal open-source SDK + examples. No downloads from obscure hosts or obfuscated installers were found in the provided materials.
Credentials
The skill requires an XO API key and a user access token (JWT) to function — appropriate for the described API — but the registry metadata lists no required environment variables. This mismatch reduces transparency. Additionally the examples show using client_secret and exchanging codes; those secrets are normal for OAuth confidential clients but increase risk if placed in agent config files. Confirm minimal scopes and rotation policies before providing tokens.
Persistence & Privilege
The skill does not request 'always: true' and uses an MCP server pattern (local process invoked by the AI client). That is expected for MCP-based tools. However, running the MCP server with XO_API_KEY and XO_ACCESS_TOKEN stored in the AI client's config means the skill will have persistent access to those credentials while running — verify you are comfortable storing and exposing those tokens to your AI client and any skills the client may invoke.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install xo-protocol
  3. After installation, invoke the skill by name or use /xo-protocol
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.0
xo-protocol 2.0.0 - Major update adding comprehensive documentation and usage workflows. - Introduces a privacy-first dating intelligence API for AI agents. - New tools include identity verification, compatibility scoring, reputation checks, social signal analysis, profile browsing, and newsfeed access. - Clearly documents setup instructions, example usage, and privacy safeguards. - Links to API docs, OpenAPI spec, and SDK provided.
Metadata
Slug xo-protocol
Version 2.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is XO Protocol?

Dating intelligence API — identity verification, compatibility scoring, reputation, and social signals via XO Protocol. The social passport for AI agents. It is an AI Agent Skill for Claude Code / OpenClaw, with 255 downloads so far.

How do I install XO Protocol?

Run "/install xo-protocol" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is XO Protocol free?

Yes, XO Protocol is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does XO Protocol support?

XO Protocol is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created XO Protocol?

It is built and maintained by pbjhsu (@pbjhsu); the current version is v2.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments