ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X2c Publish

v0.1.0

X2C Distribution and Wallet API — publish video to X2C platform, manage assets (balance, claim X2C, swap to USDC, withdraw, transactions).

0· 287·1 current·1 all-time
byParker@patches429

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for patches429/x2c-publish.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "X2c Publish" (patches429/x2c-publish) from ClawHub.
Skill page: https://clawhub.ai/patches429/x2c-publish
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: X2C_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install x2c-publish

ClawHub CLI

Package manager switcher

npx clawhub@latest install x2c-publish
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared requirement (X2C_API_KEY) matches the described capabilities (distribution + wallet operations). However the SKILL.md also relies on additional configuration (X2C_API_BASE_URL override, USER_ID and per-user credential files, and a ~/.openclaw/openclaw.json config path) that are not listed in requires.env or manifest metadata. The lack of a homepage or publisher information increases the need for scrutiny.
!
Instruction Scope
The SKILL.md instructs reading/writing credentials/{USER_ID}.json and references ~/.openclaw/openclaw.json and an env-based USER_ID. Those file and env references are outside the single declared X2C_API_KEY and imply the agent will access/modify per-user credential files and configuration on disk. While multi-user credential storage can be legitimate, it materially expands what the agent will access and should be explicitly declared and secured.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — low install/execution surface (nothing is written to disk by an installer). That lowers installation risk.
Credentials
Only X2C_API_KEY is declared as required and is appropriate for the stated API operations (including wallet actions such as withdrawals). However SKILL.md also uses/mentions X2C_API_BASE_URL and USER_ID (and storing credentials files) without declaring them. The wallet functionality implies the API key has financial privileges; the key should therefore be scoped and treated as sensitive.
Persistence & Privilege
always:false and no install hooks are present. The skill suggests writing/reading its own credential files and using the agent config at ~/.openclaw/openclaw.json for an env override; those are limited to the skill's own config scope and not an automatic global privilege escalation. Still, storing API keys on disk increases exposure and should be handled carefully.
What to consider before installing
Before installing or supplying credentials: 1) Verify the publisher/source — there is no homepage or known owner info. 2) Treat X2C_API_KEY as a sensitive credential — use a least-privilege key (if the API supports scoping) and rotate it after testing. 3) The SKILL.md references X2C_API_BASE_URL and USER_ID and instructs reading/writing credentials/{USER_ID}.json and ~/.openclaw/openclaw.json even though only X2C_API_KEY is declared; expect the agent to access that file path and the configured env var. If you don’t want credentials written to disk, don’t enable per-user file storage. 4) Limit wallet risk: test with an account/key that has no withdraw/transfer privileges until you trust the skill. 5) Consider running this skill in an isolated environment or sandbox and confirm the API endpoints and base URL (set X2C_API_BASE_URL explicitly) to avoid surprises. 6) If you need higher assurance, request provenance (official X2C homepage or source repo) and an explicit manifest listing all env vars and file paths the skill will access.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📤 Clawdis
EnvX2C_API_KEY
Primary envX2C_API_KEY
latestvk9737nv2b2sdegfk7rtra8kz9d82khgt
287downloads
0stars
1versions
Updated 5h ago
v0.1.0
MIT-0
Parker@patches429
latest
Download

X2C Publish - Distribution & Wallet API

Publish video content to the X2C platform and manage digital assets.

Critical Rules

  • Complete ALL workflow steps in order — never skip steps
  • Always add timeout to curl commands: -m 60
  • NEVER retry failed requests — report error and ask user
  • Check project status before publishing to avoid duplicates
  • Cover URL must be an image (jpg/png/webp), never a video URL

Multi-User Support

Store API key in credentials/{USER_ID}.json:

{
  "x2cApiKey": "x2c_sk_xxx"
}

Set USER_ID env var when calling. OpenClaw passes it automatically from chat context.

Or set X2C_API_KEY env var, or configure via skills."x2c-publish".env.X2C_API_KEY in ~/.openclaw/openclaw.json.

Distribution Workflow

1. distribution/categories → Get categories
2. distribution/upload-url → Get S3 presigned upload URLs
3. Upload files to S3 via HTTP PUT
4. distribution/publish → Submit with public_url from Step 3
5. distribution/query → Check review status
6. distribution/add-episodes → Add more episodes
7. distribution/list → List all projects

Two ways to provide videos:

  1. S3 Upload — use upload-url workflow for local files
  2. External URL — use existing video URLs directly in publish

API Endpoint

All requests go to the X2C Open API. The base URL is configured via X2C_API_BASE_URL env var or defaults to the production endpoint.

Headers:

  • Content-Type: application/json
  • X-API-Key: <your_x2c_api_key>

Get Categories

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{"action": "distribution/categories", "lang": "zh-CN"}'

Get Upload URLs

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{
    "action": "distribution/upload-url",
    "files": [
      {"file_type": "cover", "file_name": "cover.jpg", "content_type": "image/jpeg"},
      {"file_type": "video", "file_name": "ep1.mp4", "content_type": "video/mp4"}
    ]
  }'

Response includes upload_url, upload_headers, and public_url.

Upload to S3

Use the upload_url and upload_headers from the previous response:

curl -X PUT "<upload_url>" \
  -H "Content-Type: image/jpeg" \
  <additional headers from upload_headers> \
  --data-binary @cover.jpg

Publish Project

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{
    "action": "distribution/publish",
    "title": "My Drama",
    "description": "A story about...",
    "category_id": "uuid",
    "cover_url": "https://...",
    "video_urls": ["https://..."],
    "enable_prediction": false
  }'
ParamRequiredDescription
titleYesProject name (max 100 chars)
descriptionYesSynopsis (max 2000 chars)
category_idYesCategory UUID
cover_urlYesCover image URL
video_urlsYesArray of video URLs (1-10)
enable_predictionNoEnable prediction market

Query Status

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{"action": "distribution/query", "project_id": "uuid"}'

Status values: draft, pending_review, approved, rejected

Add Episodes

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{
    "action": "distribution/add-episodes",
    "project_id": "uuid",
    "video_urls": ["https://..."]
  }'

List Projects

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{"action": "distribution/list", "page": 1, "page_size": 20, "status": "approved"}'

Wallet API (Asset Management)

Get Balance

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{"action": "wallet/balance"}'

Returns: credits, x2c_wallet_balance, x2c_pending_claim, x2c_pending_release, usdc_balance, wallet_address.

Claim X2C

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{"action": "wallet/claim-x2c", "amount": 50.0}'

Swap X2C to USDC

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{"action": "wallet/swap-x2c", "amount": 100.0}'

Withdraw USDC

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{"action": "wallet/withdraw-usdc", "amount": 10.0, "to_address": "SolanaAddress..."}'

Transaction History

curl -m 60 -X POST "$X2C_API_BASE_URL" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $X2C_API_KEY" \
  -d '{"action": "wallet/transactions", "page": 1, "page_size": 20, "type": "all"}'

Types: earnings (mining, distribution, referral, etc.), purchases (consume, swap, withdrawal, etc.), or all.

Comments

Loading comments...