← 返回 Skills 市场
xenodiaofficial

xenodia

作者 XENODIA · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
402
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install xenodia
功能描述
Enables this agent to authenticate with and use the Xenodia Multimodal AI Gateway. Covers two wallet identity modes (local keypair OR CDP Server Wallet), bal...
安全使用建议
This package appears to be a legitimate Xenodia gateway client, but take these precautions before installing or enabling it: - Metadata mismatch: The registry metadata says there are no required environment variables, but CDP mode requires three sensitive Coinbase CDP values (CDP_API_KEY_ID, CDP_API_KEY_SECRET, CDP_WALLET_SECRET). Ask the publisher to fix the metadata or verify why it's omitted. - Secrets handling: Do NOT paste high-value secrets into ~/.zshrc unless you understand the risk. Storing API secrets or wallet secrets in a shell rc file leaves them in plain text accessible to any process that can read your shell files. Prefer a secure secret store (OS keyring, credential manager) or a file with restricted permissions. - Local private key: Local mode writes an unencrypted private key to .xenodia_agent_key. Only use local key mode if you accept storing the raw private key on disk; otherwise use CDP/MPC mode. - Verify endpoints and code: The scripts contact XENODIA_BASE_URL (default https://api.xenodia.xyz). Confirm that is the intended gateway. If you do not trust the Xenodia service or the skill source, do not provide credentials. - Limit exposure: If you must use this skill, avoid giving it autonomous privilege (or at least review/approve any actions that persist credentials). Consider running the scripts manually in an isolated environment rather than granting the agent automatic invocation. If you want, I can: (1) point out the exact lines where secrets are read/written, (2) produce a safer alternative for persisting credentials (restricted file with 600 permissions or keyring use), or (3) draft questions to ask the skill publisher to resolve the metadata mismatch.
功能分析
Type: OpenClaw Skill Name: xenodia Version: 1.0.0 The skill is classified as suspicious due to two significant vulnerabilities related to sensitive credential handling and persistence. Firstly, the `SKILL.md` explicitly instructs the AI agent to persist sensitive Coinbase CDP API keys and wallet secrets in plaintext within the user's `~/.zshrc` file. This makes these critical credentials broadly available in every new shell session, significantly increasing their exposure. Secondly, the `xenodia_client.py` script stores the agent's local EVM private key in a plaintext file named `.xenodia_agent_key` within the skill's directory. While these actions are for the agent's stated functionality and convenience, storing private keys and API secrets in plaintext files and shell configuration files without explicit security measures (like restrictive file permissions) constitutes a high-risk vulnerability, even if not directly malicious in intent.
能力评估
Purpose & Capability
The name/description (Xenodia gateway client) lines up with the included Python clients for local keypair and Coinbase CDP wallet modes. The client code only talks to the Xenodia API (XENODIA_BASE_URL) and to the Coinbase CDP SDK in CDP mode, which is consistent with the stated purpose. However the registry metadata claims there are no required env vars or credentials, while SKILL.md and the CDP client require multiple CDP environment variables for CDP mode — this metadata mismatch should be resolved.
Instruction Scope
SKILL.md instructs the agent (and the user) to request and accept sensitive values (CDP_API_KEY_ID, CDP_API_KEY_SECRET, CDP_WALLET_SECRET) from the owner and then to append them into ~/.zshrc for persistence. It also instructs generating and storing an unencrypted local private key file (.xenodia_agent_key). Asking an agent to write secrets into a shell rc file and to store raw private keys is scope-creep relative to just 'use the gateway' and increases exposure risk.
Install Mechanism
There is no remote install/download; the skill is instruction + included Python scripts. It asks the user to pip-install cdp-sdk and requests in CDP mode, which is a typical mechanism and not unusual. No arbitrary download URLs or archive extraction are present.
Credentials
The CDP mode legitimately requires CDP_API_KEY_ID, CDP_API_KEY_SECRET, and CDP_WALLET_SECRET (and optionally CDP_WALLET_NAME). These environment variables are necessary for Coinbase CDP operation. But the skill registry metadata lists no required env vars — an inconsistency. Also the instructions push storing these high-value secrets in ~/.zshrc (plain text), which is disproportionate from a security standpoint; a safer approach (OS keyring, restricted file with proper permissions, or not persisting at all) would be preferable.
Persistence & Privilege
The skill's scripts will create/modify files: .xenodia_agent_key in the skill folder (local private key) and SKILL.md explicitly instructs appending secrets to ~/.zshrc. While the skill does not request 'always: true' or modify other skills, the instructions ask the agent to persist credentials into a user shell config and to write unencrypted private keys to disk, which increases long-term exposure and is a meaningful privilege to be aware of.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install xenodia
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /xenodia 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the Xenodia skill — connect to the Xenodia Multimodal AI Gateway using EVM wallet identities. - Supports both Local Keypair and Coinbase CDP Server Wallet authentication modes. - Enables wallet balance checks, model availability queries, and switching LLM provider to Xenodia. - Provides step-by-step setup instructions for both authentication modes. - Includes troubleshooting guidance for common errors. - Example helper scripts: `xenodia_client.py` (local) and `xenodia_cdp_client.py` (CDP). - Allows generation of static API keys for integrating with third-party tools.
元数据
Slug xenodia
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

xenodia 是什么?

Enables this agent to authenticate with and use the Xenodia Multimodal AI Gateway. Covers two wallet identity modes (local keypair OR CDP Server Wallet), bal... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 402 次。

如何安装 xenodia?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install xenodia」即可一键安装,无需额外配置。

xenodia 是免费的吗?

是的,xenodia 完全免费(开源免费),可自由下载、安装和使用。

xenodia 支持哪些平台?

xenodia 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 xenodia?

由 XENODIA(@xenodiaofficial)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论