ClawHub

XMTP CLI

v1.0.0

Run and script the XMTP CLI for testing, debugging, and interacting with XMTP conversations, groups, and messages. Use when the user needs init, send, list, groups, debug, sync, permissions, or content commands from the CLI.

1· 1.6k·1 current·1 all-time
by@humanagent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the skill documents how to use the @xmtp/cli to init, send, list, groups, sync, debug, permissions, and content. Sub-skill topics and commands are coherent with a messaging CLI.
Instruction Scope
SKILL.md and the sub-skill docs instruct only CLI commands, env setup, and use of the XMTP gateway; they do not direct the agent to read arbitrary system files, exfiltrate data, or post to unknown endpoints. Using a custom gateway URL is permitted by the tool and documented.
Install Mechanism
This is an instruction-only skill with no install spec; it recommends installing the official npm package (@xmtp/cli) or running via npx/pnpx/dlx — a standard, low-risk approach. No arbitrary download URLs or extract steps are included in the skill bundle.
!
Credentials
The skill registry lists no required env vars, but the runtime docs explicitly require highly sensitive variables (XMTP_WALLET_KEY — a private key, and XMTP_DB_ENCRYPTION_KEY) plus optional gateway and debug flags. That mismatch (declared none vs. instructions requiring secrets) is an incoherence and a red flag: supplying a private key in a .env is sensitive and should be carefully justified and validated. The need for these variables is proportional to a CLI that signs messages, but the skill should have declared them in metadata and warned about risks.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistence in the bundle. Agent autonomous invocation is allowed (platform default) but not combined with other high-risk properties here.
What to consider before installing
This skill's documentation looks like legitimate XMTP CLI usage, but note two things before installing or using it: (1) the SKILL.md expects you to create a .env containing XMTP_WALLET_KEY (your Ethereum private key) and XMTP_DB_ENCRYPTION_KEY — extremely sensitive values. Never paste a real production private key into an untrusted package's config; prefer ephemeral wallets, hardware wallets, or a provider-based auth flow. (2) The skill metadata does not provide a source or homepage and does not declare the required env vars — verify you are installing the official @xmtp/cli from the npm registry (check the package owner, release page, and package contents) and confirm the package integrity (checksums/signatures) before installing. If you must use this skill, run it in an isolated environment (container/VM) and avoid storing long-term private keys in plaintext .env files. If possible, consult the official docs at https://docs.xmtp.org and install only from the official project pages.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3494cvbc02g64t0j74amj180cbwx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments