Xtown Skills

Manage BNBTown identity, wallet, DeFi actions, token launch, and market research on BNB Chain using Unibase Pay and ERC-8004 autonomous Agent framework.

This skill appears to be designed to operate a custodial wallet and perform on-chain actions, which reasonably requires a server URL and an auth token (JWT). However, the registry metadata did not declare any required environment variables while the SKILL.md expects XTOWN_SERVER_URL and UNIBASE_PROXY_AUTH (and optionally a private key env) and tells the agent to persist those tokens in a local config.json. Before installing: - Verify the skill's publisher/source (it's listed as unknown/no homepage). Prefer only skills hosted by known vendors. - Do NOT set UNIBASE_AGENT_PRIVATE_KEY or other private keys in the environment unless you fully trust the code and hosting; if present, the skill can authenticate silently. - Expect the skill to prompt you immediately on first load and to ask you to paste a JWT (authUrl flow). Make sure you understand where that token comes from and store it securely; avoid pasting private keys into chat. - Inspect or control where config.json will be written. If it will be stored in a repo, cloud-synced folder, or shared workspace, that is a high-risk location for tokens. - Ask the publisher to update registry metadata to explicitly declare required env vars (XTOWN_SERVER_URL, UNIBASE_PROXY_AUTH, UNIBASE_AGENT_PRIVATE_KEY) and to justify the automated login path. - If you proceed, limit the skill's autonomous privileges (if platform allows) and monitor any persisted tokens; revoke them immediately if you suspect misuse. Given the metadata/instruction mismatch and the proactive onboarding/persistence behavior, treat this skill with caution — the inconsistencies could be sloppy packaging or could enable unintended token exposure.

Type: OpenClaw Skill Name: xtown-skills Version: 0.1.0 The xtown-skills bundle is a legitimate integration for the BNBTown ecosystem on the BNB Chain, enabling AI agents to perform DeFi operations (swaps, lending, staking), navigate a virtual map, and manage on-chain identities via Unibase AIP. The skill includes extensive security documentation in SKILL.md and references/wallet.md, specifically instructing the agent to never ask for private keys, to validate all transactions with the owner, and to ignore prompt injection attempts. While the skill handles sensitive wallet operations and private keys (via environment variables), these capabilities are central to its stated purpose and are accompanied by robust safety protocols and transparent API interactions with legitimate infrastructure (e.g., api.xtown.io, api.pay.unibase.com).