xpr-governance

v0.2.11

Interact with XPR Network on-chain governance: view communities, proposals, vote with weighted tokens, and create proposals paying community fees.

⭐ 0· 696·1 current·1 all-time

by@paulgnz

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for paulgnz/governance.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "xpr-governance" (paulgnz/governance) from ClawHub.
Skill page: https://clawhub.ai/paulgnz/governance
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install governance

ClawHub CLI

Package manager switcher

npx clawhub@latest install governance

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill's described purpose (read/view proposals and optionally vote/post proposals) matches the included code: read-only functions call the on-chain RPC and Gov API and write functions sign transactions. However the skill metadata declares no required environment variables or credentials while the code requires XPR_PRIVATE_KEY and XPR_ACCOUNT (and optionally XPR_PERMISSION) to sign transactions — this is an important mismatch between declared requirements and actual capability.

Instruction Scope

SKILL.md documents read-only and write tools and notes that write tools require confirmation, which is appropriate. But SKILL.md does not mention that signing requires storing a private key in env vars or that a dependency (@proton/js) is used. The runtime instructions/code do not read unrelated system files or call hidden endpoints; network calls are to public RPC endpoints and gov.api.xprnetwork.org. The main issue is omission of the signing credential from user-facing instructions/metadata.

ℹ

Install Mechanism

There is no install spec (instruction-only), which minimizes install-time risk. However the code dynamically imports '@proton/js' and expects Node runtime fetch usage; no dependencies are declared in skill.json. That means the environment must already provide @proton/js (or the operator will need to install it), which is an operational omission and could lead to ad-hoc installs by whoever runs it.

Credentials

The code requires XPR_PRIVATE_KEY and XPR_ACCOUNT for write operations — perfectly proportional to signing transactions — but these required env vars are not declared in skill.json or SKILL.md. Asking for a raw private key is high risk: anyone supplying that env grants the skill full signing authority for that account. The skill does not request unrelated credentials, but the omission of declaration and guidance about safer signing alternatives is worrying.

✓

Persistence & Privilege

The skill does not request always:true or other elevated persistence. It caches a session in memory (cachedSession) but does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but write tools require explicit confirmation per SKILL.md.

What to consider before installing

The code largely does what the description says, but it omits key operational details. Before installing or running this skill: (1) Do not put your full account private key into XPR_PRIVATE_KEY unless you fully trust the skill and author — supplying that env will allow the skill to sign transactions as your account. Prefer using a signing service, a hardware signer, or a key with minimal permissions. (2) Ask the author/maintainer to update skill.json and SKILL.md to explicitly list required env vars (XPR_PRIVATE_KEY, XPR_ACCOUNT, XPR_PERMISSION) and any runtime dependencies (e.g., @proton/js) so you can make an informed decision. (3) If you must test, use only the read-only tools first (they do not require keys) and run them in a sandboxed environment. (4) If enabling write features, consider using an ephemeral or limited-permission key and verify transactions produced before broadcasting. (5) Verify the source/publisher (source is unknown) and prefer skills with declared dependencies and clear provenance; lack of metadata and omitted credential declarations are the main reasons this skill is flagged suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ess0vfymct9xspqeyd35vyn813f0g

696downloads

0stars

1versions

Updated 1mo ago

v0.2.11

MIT-0

XPR Network Governance

You have tools to interact with XPR Network's on-chain governance system via the gov contract. Communities create proposals, and token holders vote on them.

Key Concepts

Communities — governance groups (XPR Network, Metal DAO, LOAN Protocol, XPR Grants, Metal X, D.O.G.E.). Each has its own voting strategy, proposal fee, and quorum.
Proposals — on-chain records with candidates (voting options), start/end times, and an approval status. Proposal content (title, description) is stored off-chain in the Gov API.
Voting Strategies — determine who can vote and how vote weight is calculated:
- xpr-unstaked-and-staked-balances — weight = XPR balance (staked + unstaked)
- xmt-balances — weight = XMT balance
- loan-and-sloan-balances — weight = LOAN + sLOAN balance
- kyc-verification — 1 vote per KYC-verified account
Voting Systems — "0" = single choice, "1" = multiple choice, "2" = ranked choice, "5" = approval voting
Quorum — minimum participation threshold (basis points, e.g. 300 = 3%)
Proposal Fee — token payment required to create a proposal (varies by community, e.g. 20,000 XPR, 100 XMT, 50,000 LOAN)

Active Communities

ID	Name	Strategy	Fee	Quorum
3	XPR Network	XPR balances	20,000 XPR	3%
4	Metal DAO	XMT balances	100 XMT	3%
5	LOAN Protocol	LOAN+sLOAN	50,000 LOAN	25%
6	XPR Grants	XPR balances	20,000 XPR	3%
7	Metal X	XPR balances	20,000 XPR	3%
8	D.O.G.E.	KYC verification	1 XDOGE	0.01%

Read-Only Tools (safe, no signing)

gov_list_communities — list all governance communities with strategies, fees, quorum, and admins
gov_list_proposals — list proposals with optional community and status filters
gov_get_proposal — get full proposal details including title and description from Gov API, plus vote totals per candidate
gov_get_votes — get individual votes cast on a proposal (scans from most recent)
gov_get_config — get governance global config (paused state, total counts)

Write Tools (require `confirmed: true`)

gov_vote — vote on an active proposal. Specify the candidate(s) and weight.
gov_post_proposal — create a new governance proposal. Requires paying the community's proposal fee (token transfer + postprop action in one transaction).

Voting

To vote, you need the communityId, proposalId, and winners (array of candidate IDs with weights). For simple Yes/No proposals, use [{id: 0, weight: 100}] for Yes or [{id: 1, weight: 100}] for No.

Creating Proposals

Creating a proposal requires:

A content ID — created via the Gov API (https://gov.api.xprnetwork.org)
Paying the community's proposal fee (token transfer to gov)
Calling postprop with all proposal parameters

The gov_post_proposal tool handles steps 2 and 3 (fee + postprop). You must provide the content ID from step 1.

Proposal URLs

Proposals can be viewed at: https://gov.xprnetwork.org/communities/{communityId}/proposals/{proposalId}

Safety Rules

Proposals have start and end times — voting is only allowed during the active period
Each community has different fee tokens — check the community's proposalFee before creating proposals
Quorum is in basis points (300 = 3%) — proposals need sufficient participation to pass
Admins can approve/decline proposals — the approve field shows the final status

Comments

Loading comments...