X2c Publish
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is transparent about using the X2C API, but it gives the agent direct commands for publishing content and moving wallet assets, including USDC withdrawals, without clear confirmation or scope limits.
Install only if you intend the agent to publish to X2C and help manage wallet assets. Before using wallet functions, confirm every amount, action, and destination address yourself, and use a least-privileged API key if X2C supports one.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is allowed to run these commands with a valid API key, a mistaken or over-broad instruction could move wallet funds or perform other irreversible account actions.
The skill documents a raw API call that can withdraw USDC to a specified wallet address. The artifacts do not add a required confirmation step, transaction preview, allowlist, or amount/address safety check around this high-impact action.
curl -m 60 -X POST "$X2C_API_BASE_URL" ... -d '{"action": "wallet/withdraw-usdc", "amount": 10.0, "to_address": "SolanaAddress..."}'Use this only with explicit user approval for each publish, claim, swap, or withdrawal. Verify destination addresses and amounts manually, and prefer API keys or platform settings that limit wallet-transfer permissions if available.
Anyone or any agent process with access to the key may be able to act on the X2C account and wallet according to that key's permissions.
The skill uses an X2C API key for authenticated account operations, including wallet balance, claims, swaps, withdrawals, and transaction history. This credential use is expected for the stated purpose, but it is powerful.
Headers: - `Content-Type: application/json` - `X-API-Key: <your_x2c_api_key>`
Store the key securely, avoid sharing it across unrelated tasks, rotate it if exposed, and use the least-privileged or wallet-restricted API key available.
A locally stored key could be reused later by the agent or read by someone with access to the OpenClaw configuration or credential files.
The skill supports persistent local storage of the X2C API key. This is disclosed and purpose-aligned, but it increases the importance of local file and config protection.
Store API key in `credentials/{USER_ID}.json` ... Or set `X2C_API_KEY` env var, or configure via `skills."x2c-publish".env.X2C_API_KEY` in `~/.openclaw/openclaw.json`.Use restrictive file permissions, do not commit credential files, and remove the key from local config when it is no longer needed.
Users have less independent information to confirm that the skill and API instructions come from the legitimate X2C service.
The registry metadata does not provide a source repository or homepage for verifying the publisher, API documentation, or intended production endpoint.
Source: unknown Homepage: none
Verify the API endpoint, publisher, and X2C documentation through trusted channels before providing a wallet-capable API key.