ClawHub

Xaman Wallet Integration

v1.0.0

Integrate Xaman wallet SDK to authenticate users, connect wallets, request XRP payments, and manage sessions on the XRP Ledger.

0· 534·0 current·0 all-time
by@harleyscodes
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes exactly the expected behavior for a Xumm/Xaman PKCE wallet integration (loading the SDK from the Xumm CDN, authorizing, reading session state). However, the registry metadata claims no required environment variables while the runtime instructions explicitly require NEXT_PUBLIC_XAMAN_API_KEY. That metadata/instruction mismatch is incoherent and should be corrected.
!
Instruction Scope
The instructions tell the agent (developer) to load a remote SDK from https://xumm.app/assets/cdn/xumm-oauth2-pkce.min.js and to persist sessions (JWTs) in localStorage by default. Loading third-party JS at runtime and storing tokens in localStorage are expected for a browser wallet integration but are security-sensitive actions; the SKILL.md does not provide guidance about securing the API key, mitigating XSS, or alternatives to localStorage.
Install Mechanism
This is instruction-only (no install spec, no files). That lowers static install risk, but the instruction requires including a remote CDN script (xumm.app). Runtime inclusion of remote code is normal for a web SDK but relies on trusting that domain and its supply chain.
!
Credentials
The SKILL.md requires NEXT_PUBLIC_XAMAN_API_KEY (client-facing variable) but the skill metadata lists no required env vars. Requiring a NEXT_PUBLIC_ prefixed key is consistent with client-side use (public), but the metadata omission is misleading. Also, defaulting to rememberJwt:true means tokens are persisted to localStorage (accessible to other scripts), which raises proportionality/privacy concerns.
Persistence & Privilege
always is false and there is no install script or filesystem/config-path access requested. The skill does not ask for persistent platform-level privileges or to modify other skills. The main persistence concern is the SDK's use of browser localStorage for sessions (mentioned in the instructions).
What to consider before installing
This SKILL.md otherwise looks like a normal browser-side Xumm/Xaman wallet integration, but there are three points to check before installing: (1) Metadata mismatch — the skill metadata declares no env vars but the instructions require NEXT_PUBLIC_XAMAN_API_KEY; ask the publisher to correct metadata so you know what secrets/config are needed. (2) Trust the CDN — the runtime instructs you to load code from https://xumm.app; verify that domain and the SDK file are legitimate and consider pinning a known-good release or hosting the SDK yourself if you need higher supply-chain assurance. (3) Session storage and API key exposure — NEXT_PUBLIC_ indicates the key will be public in client builds and the SDK persists JWTs in localStorage by default (accessible to other scripts and vulnerable to XSS). If you need stronger security, use server-side flows, avoid storing long-lived tokens in localStorage, or configure the SDK to use more secure storage. If you cannot validate the skill author/source (homepage/source are missing), request provenance before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dp3n30qa8fts211mhded00x814ajk
534downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@harleyscodes
latest
Download

Xaman Wallet Integration

Quick Start

  1. Load the SDK (in layout.tsx or HTML head):
<script src="https://xumm.app/assets/cdn/xumm-oauth2-pkce.min.js"></script>
  1. Initialize and connect:
const XummPkce = (window as any).XummPkce;
const xumm = new XummPkce(API_KEY, {
  redirectUrl: window.location.origin + "/dashboard"
});

// Listen for auth events
xumm.on("success", async (state) => {
  const account = (await xumm.state())?.me?.account;
  console.log("Connected:", account);
});

// Start auth flow (opens popup)
await xumm.authorize();

API Key

Get your API key from: https://xumm.app/dashboard/developer

Environment variable: NEXT_PUBLIC_XAMAN_API_KEY

Key Methods

  • new XummPkce(apiKey, options) - Initialize SDK
  • xumm.authorize() - Start OAuth flow, opens Xaman app
  • xumm.state() - Get current user session
  • xumm.logout() - Clear session
  • xumm.on("success", callback) - Listen for successful auth
  • xumm.on("error", callback) - Listen for errors

Options

{
  redirectUrl: string,      // Where to redirect after auth
  rememberJwt: boolean,     // Persist session in localStorage (default: true)
  storage: Storage,        // Custom storage (default: localStorage)
  implicit: boolean        // Use implicit flow (default: false)
}

Session Recovery

The SDK auto-restores sessions. Call xumm.logout() before authorize() to force fresh login.

Troubleshooting

  • Popup blocked: Browser popup blocker may prevent authorize() - call from user action
  • Account undefined: Use xumm.state().then(s => s.me.account) after success event
  • CORS errors: Ensure redirectUrl matches your app's origin

Comments

Loading comments...