Xian SDK
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only Xian blockchain SDK reference with no hidden code, but its examples involve package installation, wallet secrets, and real blockchain transactions that users should handle carefully.
This skill appears appropriate for Xian SDK development. Before installing or using it, verify and pin the xian-py package, use a virtual environment, avoid exposing real private keys or mnemonics, and require explicit confirmation before sending transactions or deploying contracts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If examples are run without review, tokens could be transferred or contracts called on a live network.
The skill documents token transfer and contract-transaction APIs. This is central to the stated blockchain SDK purpose, but executing similar code with a real wallet can move funds or mutate on-chain state.
result = xian.send(amount=100, to_address='recipient')
Use test networks first, verify node URL, recipient, amount, contract, and function, and require explicit user approval before any transaction or deployment.
Anyone who obtains a real private key or mnemonic can control the associated wallet.
The wallet examples handle private keys and mnemonics, which are expected for blockchain development, but printing or pasting them can expose control of funds.
print(wallet.private_key) # Keep secret!
Do not print, paste, or store real wallet secrets in chat logs or shared files; use secure key management and only use disposable test wallets in examples.
Installing an unpinned package trusts the current package distribution and its dependencies.
The skill relies on installing an external Python package. This is expected for an SDK reference, but the example does not pin a version or hash.
pip install xian-py
Install in a virtual environment, verify the package source, and pin versions or hashes for reproducible projects.
A contract using this pattern without allowlists or access controls may let callers reach functions the developer did not intend to expose.
The upgradeable contract pattern demonstrates dynamic function dispatch. It is example contract code, not skill runtime behavior, but copied naively it could expose unintended functions.
fn = getattr(impl, function)
return fn(**kwargs)Review upgradeable contract designs carefully, restrict callable functions, and add explicit access-control checks where needed.