← 返回 Skills 市场
255
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install xo-protocol
功能描述
Dating intelligence API — identity verification, compatibility scoring, reputation, and social signals via XO Protocol. The social passport for AI agents.
安全使用建议
This package generally looks like what it claims (an SDK + MCP server for a dating-trust API), but there are important mismatches and operational risks to consider:
- Metadata mismatch: the skill registry lists no required environment variables, yet the SKILL.md and the MCP server require XO_API_KEY and XO_ACCESS_TOKEN. Treat that as a transparency red flag and ask the publisher to correct the manifest.
- Secrets exposure: the recommended integration stores XO_API_KEY and XO_ACCESS_TOKEN in your AI client's MCP config (~/.claude/mcp_servers.json). That file grants the local MCP process (and therefore any agent tooling that talks to it) access to your keys. Only use tokens with the minimal scopes needed, rotate them regularly, and consider running the MCP server in an isolated account or environment.
- Source verification: SKILL.md and README point to a GitHub repository and xoxo.space domains, but the skill source in the registry is 'unknown'. Before installing or adding the MCP server, verify the upstream GitHub repo, check commit history and releases, and confirm the domain(s) (protocol.xoxo.space, xoxo.space) are legitimate and match the organization you expect.
- Client secrets: examples show using client_secret for confidential OAuth flows. Never embed long-lived client secrets or private keys in public repos or in shared config files. Use PKCE for public clients where possible.
If you cannot verify the package source and the domain ownership, or you are uncomfortable storing tokens in your AI client's config, do not install/run this MCP server. If you proceed, limit token scopes, run in an isolated environment, and audit network connections and logs.
功能分析
Type: OpenClaw Skill
Name: xo-protocol
Version: 2.0.0
The xo-protocol skill bundle provides a legitimate integration for a dating intelligence API, offering tools for identity verification, reputation scoring, and social signals. The code consists of a standard JavaScript SDK (sdk/index.js), an MCP server for AI agents (examples/mcp-server.js), and clear documentation (SKILL.md, README.md) that emphasizes privacy through OAuth authorization and ephemeral user IDs. No evidence of data exfiltration, malicious execution, or prompt injection was found; the bundle follows established security patterns for API-based services.
能力评估
Purpose & Capability
Files (SDK, examples, OpenAPI) match the described purpose (identity verification, reputation, compatibility). Requiring an API key and a user JWT (XO_API_KEY, XO_ACCESS_TOKEN) is coherent for this API. However, the registry metadata claims no required environment variables while the SKILL.md and mcp-server example explicitly require XO_API_KEY and XO_ACCESS_TOKEN — an inconsistency that should be resolved before trusting the package.
Instruction Scope
SKILL.md instructs running an MCP server and adding a local entry to an AI client's config (~/.claude/mcp_servers.json) with environment variables. Those instructions are within scope for exposing an API to agents, but they explicitly require placing secrets (API key/JWT) into the agent configuration which gives the local MCP process access to those tokens. The instructions do not ask to read unrelated system files or exfiltrate data, but granting the MCP server these tokens effectively gives any agent-bound tooling that can call the server access to the user's API/JWT — exercise caution.
Install Mechanism
There is no automated install spec in the registry (instruction-only install). The SKILL.md suggests git-clone of a GitHub repo and using npm to install a known SDK; the code shipped with the skill mirrors a normal open-source SDK + examples. No downloads from obscure hosts or obfuscated installers were found in the provided materials.
Credentials
The skill requires an XO API key and a user access token (JWT) to function — appropriate for the described API — but the registry metadata lists no required environment variables. This mismatch reduces transparency. Additionally the examples show using client_secret and exchanging codes; those secrets are normal for OAuth confidential clients but increase risk if placed in agent config files. Confirm minimal scopes and rotation policies before providing tokens.
Persistence & Privilege
The skill does not request 'always: true' and uses an MCP server pattern (local process invoked by the AI client). That is expected for MCP-based tools. However, running the MCP server with XO_API_KEY and XO_ACCESS_TOKEN stored in the AI client's config means the skill will have persistent access to those credentials while running — verify you are comfortable storing and exposing those tokens to your AI client and any skills the client may invoke.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xo-protocol - 安装完成后,直接呼叫该 Skill 的名称或使用
/xo-protocol触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.0
xo-protocol 2.0.0
- Major update adding comprehensive documentation and usage workflows.
- Introduces a privacy-first dating intelligence API for AI agents.
- New tools include identity verification, compatibility scoring, reputation checks, social signal analysis, profile browsing, and newsfeed access.
- Clearly documents setup instructions, example usage, and privacy safeguards.
- Links to API docs, OpenAPI spec, and SDK provided.
元数据
常见问题
XO Protocol 是什么?
Dating intelligence API — identity verification, compatibility scoring, reputation, and social signals via XO Protocol. The social passport for AI agents. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 255 次。
如何安装 XO Protocol?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xo-protocol」即可一键安装,无需额外配置。
XO Protocol 是免费的吗?
是的,XO Protocol 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
XO Protocol 支持哪些平台?
XO Protocol 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 XO Protocol?
由 pbjhsu(@pbjhsu)开发并维护,当前版本 v2.0.0。
推荐 Skills