Environment & Package Manager
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: x-env Version: 1.0.0 The skill provides environment and package management capabilities via x-cmd, which inherently involves downloading and executing remote code. A primary indicator is the inclusion of a high-risk installation method (`curl | sh`) targeting `https://get.x-cmd.com` within `data/install.md`. While the documentation in `SKILL.md` and `data/install.md` is transparent about risks and provides guidelines for the agent to obtain user consent and prefer signed installation methods (Homebrew), the core functionality of managing and executing arbitrary third-party runtimes and tools remains a high-risk capability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill may add, remove, or change software versions in the user's environment.
The skill exposes commands that mutate the local software environment by installing, removing, or upgrading packages. This is central to the stated package-manager purpose, but users should notice that it can affect local tooling.
**use**: Permanently install software to user environment ... **unuse**: Remove installed software from user environment ... **upgrade**: Upgrade installed software versions
Run package-management commands only for packages and versions the user requested or approved, and prefer reversible, scoped changes when possible.
If the auto-install option is chosen, code from a remote server runs on the user's machine before manual review.
The install guide includes a curl-to-shell installation option that executes remote code. The same artifact clearly labels it high risk and says to avoid it in sensitive environments, so this is disclosed rather than hidden.
curl -fsSL https://get.x-cmd.com | sh
Prefer the Homebrew or manual-review install methods, and use the auto-install command only in disposable or low-risk environments with explicit user consent.
Installed packages and tooling depend on the integrity of external distribution sources.
The skill relies on external package and binary sources. This is expected for a package manager, and the guide documents verification expectations such as SHA256 checksums.
Binary packages from `https://github.com/x-cmd/release`; Conda packages from `https://conda.prefix.dev`
Use the documented verified sources, review scripts in sensitive environments, and avoid installing unneeded packages.