Xpoz Setup
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Xpoz Setup is mostly coherent OAuth setup, but its headless-login helper handles the pasted authorization code in a way that could run unintended code on your machine.
Install only if you intend to connect Xpoz to your agent. The normal OAuth and mcporter configuration behavior is expected, but avoid the remote/headless OAuth helper until the authorization-code handling is fixed, or use the local browser login flow instead.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
In the headless OAuth flow, a malicious or malformed authorization code could cause the helper to execute unintended local Python code during setup.
The OAuth code supplied to the script is inserted into Python source code rather than passed as data via argv, stdin, or an environment variable. A crafted value containing Python syntax could alter the generated program.
CODE="${2:?Usage: oauth-remote.sh exchange <code>}" ... python3 -c "... 'code': '${CODE}', ..."Pass the authorization code as data, such as through sys.argv or an environment variable, parse pasted URLs safely, and validate OAuth state before exchange. Until fixed, prefer the local browser login flow or inspect/patch the helper before using the headless flow.
Authorizing this skill links your Xpoz/Google-backed account to the agent's MCP configuration for Xpoz social media intelligence queries.
The skill clearly discloses that it authenticates an Xpoz account through Google OAuth so the agent can use Xpoz MCP tools.
"credentials": "Xpoz account (free tier) — obtained via Google OAuth during setup"
Only authorize the intended account, review the OAuth screen and scope, and revoke Xpoz access later if you no longer want the agent to use it.
Installing and invoking the setup can change your local MCP configuration so Xpoz tools are available to the agent.
The skill instructs the agent to modify the local mcporter MCP configuration to add the remote Xpoz server. This is aligned with setup, but it is still a local agent/tool configuration change.
mcporter config add xpoz https://mcp.xpoz.ai/mcp --auth oauth
Proceed only if you want Xpoz registered as an MCP server, and provide or request clear removal instructions if you later want to disconnect it.