Xaman Wallet Integration
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only wallet integration guide, but users should notice its third-party SDK loading, wallet/session handling, and payment-signature capabilities.
This skill appears safe to review as an instruction-only Xaman integration guide. Before using it, confirm you trust the Xaman SDK source, configure the API key and redirect origins correctly, decide whether persistent localStorage sessions are acceptable, and make sure any payment or signature request requires clear user confirmation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote SDK source changes or is compromised, code from that source would run in the user's web application.
The guide instructs loading a remote third-party JavaScript SDK directly into the application. This is coherent with the wallet integration purpose, but it makes the application dependent on that remote script source.
<script src="https://xumm.app/assets/cdn/xumm-oauth2-pkce.min.js"></script>
Use the official SDK source, consider a pinned version or package-managed dependency, and apply standard web supply-chain controls such as integrity checks where available.
Implementations built from this guide may connect to a user's Xaman wallet account and access wallet session/account information.
The skill involves a wallet OAuth/API-key flow and user wallet identity access. This is expected for Xaman integration, but it is sensitive account-related authority.
const xumm = new XummPkce(API_KEY, { ... }); ... await xumm.authorize(); ... Environment variable: `NEXT_PUBLIC_XAMAN_API_KEY`Confirm the API key is intended for frontend use, configure allowed origins/redirects in Xaman, and avoid granting broader wallet permissions than the application needs.
A wallet session may remain available in the browser after initial login, which can be convenient but increases exposure if the application has XSS or the device/browser is shared.
The guide documents persistent wallet session storage and automatic session recovery. This is purpose-aligned, but persistent session state is sensitive and should be protected.
rememberJwt: boolean, // Persist session in localStorage (default: true) ... The SDK auto-restores sessions.
Decide whether persistent sessions are appropriate, consider `rememberJwt: false` or custom storage for higher-risk apps, and ensure logout and XSS protections are implemented.
An application using this guidance could ask users to approve XRP Ledger payments or signatures.
The skill explicitly includes payment and signature-request functionality. This is consistent with a wallet integration, but financial/signature actions are high-impact and should be implemented with clear user confirmation.
Use for: ... (3) Requesting payment/signatures from users
Ensure every payment or signature request clearly shows the recipient, amount, network, and purpose, and require explicit user approval before submitting requests.