← 返回 Skills 市场
qomob

xclawskill

作者 qomob · GitHub ↗ · v1.0.5 · MIT-0
cross-platform ⚠ suspicious
176
总下载
0
收藏
0
当前安装
6
版本数
在 OpenClaw 中安装
/install xclawskill
功能描述
Interact with XClaw distributed AI Agent network. Trigger on: XClaw, agent networks, skill marketplace (ClawBay), task routing, agent registration, semantic...
安全使用建议
This skill appears to implement a real XClaw client, but it has important warning signs: (1) the package metadata omits environment variables that the code and SKILL.md clearly use — XCLAW_JWT_TOKEN, XCLAW_API_KEY, XCLAW_AGENT_ID, XCLAW_BASE_URL — so don't assume safe defaults; (2) SKILL.md tells the agent to gather credentials conversationally and to 'use them silently' and the scripts persist private keys and tokens to ~/.xclaw/config.json (private key stored in plaintext PEM), which could allow subsequent authenticated actions without an explicit consent step; (3) source/homepage is missing (origin unknown). Before installing: verify the author/source, inspect the scripts yourself, and if you must try it prefer running in an isolated environment (container or VM). Do not paste long-lived production API keys or secrets into chat — instead pre-configure only the environment variables you intend to allow, set tight file permissions on ~/.xclaw, and be prepared to revoke any generated API keys or JWTs after testing. If you need higher assurance, request a version with explicit metadata that lists required env vars and a clearer, explicit user-consent flow for storing credentials.
功能分析
Type: OpenClaw Skill Name: xclawskill Version: 1.0.5 The xclawskill bundle is a legitimate integration for the XClaw distributed AI Agent network. It contains a Node.js setup script (scripts/setup.js) for Ed25519 key generation and a Bash client (scripts/xclaw_client.sh) for interacting with the XClaw REST API. The SKILL.md instructions guide the AI agent to perform 'zero-config' operations and endpoint discovery, which are consistent with the tool's purpose. While the setup script stores private keys in a local config file (~/.xclaw/config.json), there is no evidence of malicious intent, data exfiltration, or harmful prompt injection.
能力标签
cryptorequires-walletcan-make-purchasesrequires-sensitive-credentials
能力评估
Purpose & Capability
The skill's stated purpose (interact with XClaw agent network) matches the included code and endpoints. However the registry metadata claims no required environment variables or credentials while SKILL.md and the bundled scripts clearly expect XCLAW_JWT_TOKEN, XCLAW_API_KEY, XCLAW_AGENT_ID and XCLAW_BASE_URL. That metadata omission is an incoherence (the credentials are relevant to the purpose, but the package does not declare them).
Instruction Scope
SKILL.md directs the agent to probe network endpoints and to perform read/write operations against the XClaw API (expected). Critically, it instructs 'Do NOT ask about config first' for read-only actions and prescribes a 'Lazy Authentication' flow: if credentials exist use them silently, if missing 'start conversational setup' and collect credentials via chat 'naturally'. These instructions explicitly authorize collecting sensitive secrets from the user at runtime, storing returned tokens/keys, and using them without an explicit, separate consent step — scope creep that raises privacy/exfiltration risk. The docs also reference reading/writing ~/.xclaw/config.json and storing private keys/tokens.
Install Mechanism
No external download/install spec is present (instruction-only + bundled scripts). There are no brew/npm downloads or URL extracts. The only files are local scripts (bash and Node) included in the package, so nothing arbitrary is fetched at install time. However the included scripts will write a config file to the user's home directory.
Credentials
The package metadata declares no required env vars, but SKILL.md and scripts rely on and document XCLAW_JWT_TOKEN, XCLAW_API_KEY, XCLAW_AGENT_ID and XCLAW_BASE_URL; setup.js will generate and persist an Ed25519 keypair (private_key) and save authentication tokens. The skill also encourages collecting API keys/JWTs by chat if not present. Requesting and persisting these sensitive values is proportionate to interacting with the network, but the failure to declare them and the instruction to solicit them conversationally is inconsistent and potentially unsafe.
Persistence & Privilege
The skill writes persistent credentials to ~/.xclaw/config.json (including generated private_key and tokens) and will reuse them across sessions. always:false (no force inclusion) and normal autonomous invocation are set, but because the skill will store and later use credentials 'silently', an autonomous agent invoking the skill could perform authenticated write operations on the user's behalf using those stored secrets. The skill does not attempt to modify other skills or system-level settings, but persistent storage of private keys/tokens in plaintext is a sensitive privilege that increases risk.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install xclawskill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /xclawskill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.5
xclawskill 1.0.5 - Major documentation simplification and restructuring for clarity. - Shortened and clarified when skill triggers, with compact examples. - Condensed zero-config flow, authentication, and endpoint detection into concise steps. - Added a quick API endpoints index and usage table for fast reference. - Reference documents and error handling now summarized in easy tables. - Deprecated lengthy explanations for a more streamlined user guide.
v1.0.4
xclawskill v1.0.4 - Initial release of the xclawskill with all supporting files. - Provides zero-config, conversational interface for interacting with the XClaw distributed AI agent platform. - Supports instant read-only access and conversational setup for authenticated actions. - Implements smart API base URL detection for seamless use. - No manual environment variable setup required for most operations.
v1.0.3
xclawskill 1.0.3 - Major update: Introduces a zero-config, user-friendly interaction model with automatic endpoint discovery and credential handling. - Added full conversational authentication flow—most read-only features now work instantly, only prompting setup when needed. - Implements automatic API endpoint detection to distinguish between frontend and backend URLs for the XClaw network. - Enhanced setup options: one-command agent registration with automatic key generation and credential storage. - Added precedence order for configuration sources: config file, environment, conversational input, then defaults.
v1.0.2
xclawskill 1.0.2 - No file changes detected in this version. - No visible user-facing updates or behavioral changes.
v1.0.1
xclawskill v1.0.1 - Major skill redesign and expansion: now provides a comprehensive interface for interacting with the entire XClaw distributed AI Agent network. - Added extensive new documentation for the platform's architecture, API domains, authentication methods, and configuration. - Skill scope now covers agent registration, topology management, skill marketplace (ClawBay), billing, reviews (ClawOracle), memory, relationships, messaging, billing, social graph, and more. - All Node.js-specific implementation details have been removed. - Adds new reference and script files; removes legacy Node.js files and dependency descriptors. - Usage is now API-centric, platform-agnostic, and triggered by a much broader set of user intents relating to agent networks and XClaw operations.
v1.0.0
**Major update: Refactored skill to connect OpenClaw instances to the XClaw decentralized agent network with new agent and skill management commands.** - Replaces previous tweet analysis and social tracking features with a network registration and communication system for OpenClaw agents. - Added commands for: agent registration, status check, agent discovery, sending/broadcasting messages, skill registration and search, and network disconnect. - Introduced new command-line interface via `node src/index.js <action> [args]`. - Updated prerequisites: Node.js >=18 and the `ws` package are now required. - All configuration and keys are managed under `~/.xclaw/config.json`. - Previous code/data-fetching logic removed; skill now focuses on decentralized agent interaction and skill sharing.
元数据
Slug xclawskill
版本 1.0.5
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 6
常见问题

xclawskill 是什么?

Interact with XClaw distributed AI Agent network. Trigger on: XClaw, agent networks, skill marketplace (ClawBay), task routing, agent registration, semantic... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 176 次。

如何安装 xclawskill?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install xclawskill」即可一键安装,无需额外配置。

xclawskill 是免费的吗?

是的,xclawskill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

xclawskill 支持哪些平台?

xclawskill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 xclawskill?

由 qomob(@qomob)开发并维护,当前版本 v1.0.5。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论