ClawHub

Xaman Wallet Integration

v1.0.0

Integrate Xaman wallet SDK to authenticate users, connect wallets, request XRP payments, and manage sessions on the XRP Ledger.

0· 526·0 current·0 all-time
by@harleyscodes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes exactly the expected behavior for a Xumm/Xaman PKCE wallet integration (loading the SDK from the Xumm CDN, authorizing, reading session state). However, the registry metadata claims no required environment variables while the runtime instructions explicitly require NEXT_PUBLIC_XAMAN_API_KEY. That metadata/instruction mismatch is incoherent and should be corrected.
!
Instruction Scope
The instructions tell the agent (developer) to load a remote SDK from https://xumm.app/assets/cdn/xumm-oauth2-pkce.min.js and to persist sessions (JWTs) in localStorage by default. Loading third-party JS at runtime and storing tokens in localStorage are expected for a browser wallet integration but are security-sensitive actions; the SKILL.md does not provide guidance about securing the API key, mitigating XSS, or alternatives to localStorage.
Install Mechanism
This is instruction-only (no install spec, no files). That lowers static install risk, but the instruction requires including a remote CDN script (xumm.app). Runtime inclusion of remote code is normal for a web SDK but relies on trusting that domain and its supply chain.
!
Credentials
The SKILL.md requires NEXT_PUBLIC_XAMAN_API_KEY (client-facing variable) but the skill metadata lists no required env vars. Requiring a NEXT_PUBLIC_ prefixed key is consistent with client-side use (public), but the metadata omission is misleading. Also, defaulting to rememberJwt:true means tokens are persisted to localStorage (accessible to other scripts), which raises proportionality/privacy concerns.
Persistence & Privilege
always is false and there is no install script or filesystem/config-path access requested. The skill does not ask for persistent platform-level privileges or to modify other skills. The main persistence concern is the SDK's use of browser localStorage for sessions (mentioned in the instructions).
What to consider before installing
This SKILL.md otherwise looks like a normal browser-side Xumm/Xaman wallet integration, but there are three points to check before installing: (1) Metadata mismatch — the skill metadata declares no env vars but the instructions require NEXT_PUBLIC_XAMAN_API_KEY; ask the publisher to correct metadata so you know what secrets/config are needed. (2) Trust the CDN — the runtime instructs you to load code from https://xumm.app; verify that domain and the SDK file are legitimate and consider pinning a known-good release or hosting the SDK yourself if you need higher supply-chain assurance. (3) Session storage and API key exposure — NEXT_PUBLIC_ indicates the key will be public in client builds and the SDK persists JWTs in localStorage by default (accessible to other scripts and vulnerable to XSS). If you need stronger security, use server-side flows, avoid storing long-lived tokens in localStorage, or configure the SDK to use more secure storage. If you cannot validate the skill author/source (homepage/source are missing), request provenance before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dp3n30qa8fts211mhded00x814ajk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments