ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X2c Publish

v0.1.0

X2C Distribution and Wallet API — publish video to X2C platform, manage assets (balance, claim X2C, swap to USDC, withdraw, transactions).

0· 213·1 current·1 all-time
byParker@patches429
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared requirement (X2C_API_KEY) matches the described capabilities (distribution + wallet operations). However the SKILL.md also relies on additional configuration (X2C_API_BASE_URL override, USER_ID and per-user credential files, and a ~/.openclaw/openclaw.json config path) that are not listed in requires.env or manifest metadata. The lack of a homepage or publisher information increases the need for scrutiny.
!
Instruction Scope
The SKILL.md instructs reading/writing credentials/{USER_ID}.json and references ~/.openclaw/openclaw.json and an env-based USER_ID. Those file and env references are outside the single declared X2C_API_KEY and imply the agent will access/modify per-user credential files and configuration on disk. While multi-user credential storage can be legitimate, it materially expands what the agent will access and should be explicitly declared and secured.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — low install/execution surface (nothing is written to disk by an installer). That lowers installation risk.
Credentials
Only X2C_API_KEY is declared as required and is appropriate for the stated API operations (including wallet actions such as withdrawals). However SKILL.md also uses/mentions X2C_API_BASE_URL and USER_ID (and storing credentials files) without declaring them. The wallet functionality implies the API key has financial privileges; the key should therefore be scoped and treated as sensitive.
Persistence & Privilege
always:false and no install hooks are present. The skill suggests writing/reading its own credential files and using the agent config at ~/.openclaw/openclaw.json for an env override; those are limited to the skill's own config scope and not an automatic global privilege escalation. Still, storing API keys on disk increases exposure and should be handled carefully.
What to consider before installing
Before installing or supplying credentials: 1) Verify the publisher/source — there is no homepage or known owner info. 2) Treat X2C_API_KEY as a sensitive credential — use a least-privilege key (if the API supports scoping) and rotate it after testing. 3) The SKILL.md references X2C_API_BASE_URL and USER_ID and instructs reading/writing credentials/{USER_ID}.json and ~/.openclaw/openclaw.json even though only X2C_API_KEY is declared; expect the agent to access that file path and the configured env var. If you don’t want credentials written to disk, don’t enable per-user file storage. 4) Limit wallet risk: test with an account/key that has no withdraw/transfer privileges until you trust the skill. 5) Consider running this skill in an isolated environment or sandbox and confirm the API endpoints and base URL (set X2C_API_BASE_URL explicitly) to avoid surprises. 6) If you need higher assurance, request provenance (official X2C homepage or source repo) and an explicit manifest listing all env vars and file paths the skill will access.

Like a lobster shell, security has layers — review code before you run it.

latestvk9737nv2b2sdegfk7rtra8kz9d82khgt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📤 Clawdis
EnvX2C_API_KEY
Primary envX2C_API_KEY

Comments