ClawHub

Xpoz Setup

v1.2.0

Set up and authenticate the Xpoz MCP server for social media intelligence. Required by all Xpoz skills. Handles server configuration, OAuth login, and connection verification with minimal user interaction.

5· 2.3k·12 current·12 all-time
by@atyachin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Xpoz MCP OAuth setup) matches the implemented steps: checking mcporter, registering the MCP server, running a browser or headless PKCE flow, and configuring mcporter with a bearer token. Required binary (mcporter) and network hosts (mcp.xpoz.ai, www.xpoz.ai) are appropriate for this purpose.
Instruction Scope
SKILL.md instructs only to run local checks, call mcporter, perform OAuth (either via browser or a manual headless flow), and wait for the user-provided code. It does not ask to read unrelated files or exfiltrate data to unexpected endpoints — network activity is limited to Xpoz endpoints. The script stores transient PKCE state in a restricted cache directory and does not print tokens.
Install Mechanism
There is no install spec (instruction-only skill) and the included shell/python script is small and local. No downloads from third-party URLs or archive extraction are performed. Risk from installation is low.
Credentials
The skill requests no environment variables or unrelated credentials. It only requires the mcporter binary and network access to Xpoz domains, which aligns with the OAuth/configuration task. The bearer token obtained is used to configure mcporter — reasonable for this integration.
Persistence & Privilege
The skill configures mcporter and therefore results in persistent storage of an Authorization header (bearer token) inside mcporter's configuration. This is expected for an OAuth setup but is a persistent secret the user should be aware of. always:false and normal autonomous invocation mean it does not force global inclusion.
Assessment
This skill appears to do exactly what it says: set up Xpoz OAuth and configure mcporter. Before installing, confirm you trust https://xpoz.ai and that mcporter is the correct, official tool included with your OpenClaw install. Be aware that the OAuth access token will be written into mcporter's configuration (persistent on disk) so if you want to revoke access later, remove the xpoz config entry or revoke the token from Xpoz. On headless servers the skill asks you to paste an authorization code into chat — don't paste any unrelated secrets. If you need stronger guarantees, inspect mcporter's config storage location and verify token handling after setup.

Like a lobster shell, security has layers — review code before you run it.

latestvk9728j600vsk9tpf6x9qceg29n80zrpm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsmcporter

Comments