Xian Node
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to provide coherent, user-directed guidance for running Xian blockchain nodes, with expected but important risks around remote builds, validator keys, persistent services, and reset commands.
This skill is reasonable for setting up and operating a Xian node. Before installing or using it, verify the external Xian repositories/packages, avoid exposing real validator private keys in chat or shell history, and require explicit approval before running reset, wipe, transaction-sending, or long-running node commands.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The node software built or installed may change if the upstream repository or branch changes.
The skill directs the user to clone and build external upstream code from a branch rather than a pinned commit. This is expected for node setup, but users should notice the supply-chain dependency.
git clone https://github.com/xian-network/xian-stack.git cd xian-stack make setup CORE_BRANCH=mainnet CONTRACTING_BRANCH=mainnet
Verify the repository and branch before building, and consider pinning a known-good commit or release for production nodes.
Running reset or wipe commands can delete local blockchain node data and force resynchronization or reinitialization.
The skill documents commands that can remove local node data. They are clearly labeled and purpose-aligned, but they are high-impact operations if run unintentionally.
`make wipe` | Clear node data (keeps config) `make dwu` | Down + wipe + init + up (full reset)
Only allow an agent to run wipe/reset commands after explicit confirmation and after backing up any needed node data.
A validator private key can control validator identity and should not be exposed in logs, shell history, process listings, or shared agent context.
Validator private-key handling is part of the intended validator setup, but it is sensitive authority and the example places the key directly in a command argument.
make configure CONFIGURE_ARGS='--moniker "my-validator" ... --validator-privkey "<your-privkey>" ...'
Use validator keys only when necessary, keep them secret, avoid pasting real keys into shared conversations when possible, and prefer safer key-loading methods if the underlying tooling supports them.
The node may keep consuming CPU, disk, network bandwidth, and open ports until it is stopped.
The skill intentionally starts persistent background node processes. This is disclosed and expected for running a blockchain node, but users should understand it continues after the interactive shell exits.
make up # Start pm2 processes exit # Leave shell (node keeps running)
Monitor the running services and use the documented stop commands such as `make down` or `make core-down` when the node should no longer run.