Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
xenodia
v1.0.0Enables this agent to authenticate with and use the Xenodia Multimodal AI Gateway. Covers two wallet identity modes (local keypair OR CDP Server Wallet), bal...
⭐ 0· 346·0 current·0 all-time
byXENODIA@xenodiaofficial
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Xenodia gateway client) lines up with the included Python clients for local keypair and Coinbase CDP wallet modes. The client code only talks to the Xenodia API (XENODIA_BASE_URL) and to the Coinbase CDP SDK in CDP mode, which is consistent with the stated purpose. However the registry metadata claims there are no required env vars or credentials, while SKILL.md and the CDP client require multiple CDP environment variables for CDP mode — this metadata mismatch should be resolved.
Instruction Scope
SKILL.md instructs the agent (and the user) to request and accept sensitive values (CDP_API_KEY_ID, CDP_API_KEY_SECRET, CDP_WALLET_SECRET) from the owner and then to append them into ~/.zshrc for persistence. It also instructs generating and storing an unencrypted local private key file (.xenodia_agent_key). Asking an agent to write secrets into a shell rc file and to store raw private keys is scope-creep relative to just 'use the gateway' and increases exposure risk.
Install Mechanism
There is no remote install/download; the skill is instruction + included Python scripts. It asks the user to pip-install cdp-sdk and requests in CDP mode, which is a typical mechanism and not unusual. No arbitrary download URLs or archive extraction are present.
Credentials
The CDP mode legitimately requires CDP_API_KEY_ID, CDP_API_KEY_SECRET, and CDP_WALLET_SECRET (and optionally CDP_WALLET_NAME). These environment variables are necessary for Coinbase CDP operation. But the skill registry metadata lists no required env vars — an inconsistency. Also the instructions push storing these high-value secrets in ~/.zshrc (plain text), which is disproportionate from a security standpoint; a safer approach (OS keyring, restricted file with proper permissions, or not persisting at all) would be preferable.
Persistence & Privilege
The skill's scripts will create/modify files: .xenodia_agent_key in the skill folder (local private key) and SKILL.md explicitly instructs appending secrets to ~/.zshrc. While the skill does not request 'always: true' or modify other skills, the instructions ask the agent to persist credentials into a user shell config and to write unencrypted private keys to disk, which increases long-term exposure and is a meaningful privilege to be aware of.
What to consider before installing
This package appears to be a legitimate Xenodia gateway client, but take these precautions before installing or enabling it:
- Metadata mismatch: The registry metadata says there are no required environment variables, but CDP mode requires three sensitive Coinbase CDP values (CDP_API_KEY_ID, CDP_API_KEY_SECRET, CDP_WALLET_SECRET). Ask the publisher to fix the metadata or verify why it's omitted.
- Secrets handling: Do NOT paste high-value secrets into ~/.zshrc unless you understand the risk. Storing API secrets or wallet secrets in a shell rc file leaves them in plain text accessible to any process that can read your shell files. Prefer a secure secret store (OS keyring, credential manager) or a file with restricted permissions.
- Local private key: Local mode writes an unencrypted private key to .xenodia_agent_key. Only use local key mode if you accept storing the raw private key on disk; otherwise use CDP/MPC mode.
- Verify endpoints and code: The scripts contact XENODIA_BASE_URL (default https://api.xenodia.xyz). Confirm that is the intended gateway. If you do not trust the Xenodia service or the skill source, do not provide credentials.
- Limit exposure: If you must use this skill, avoid giving it autonomous privilege (or at least review/approve any actions that persist credentials). Consider running the scripts manually in an isolated environment rather than granting the agent automatic invocation.
If you want, I can: (1) point out the exact lines where secrets are read/written, (2) produce a safer alternative for persisting credentials (restricted file with 600 permissions or keyring use), or (3) draft questions to ask the skill publisher to resolve the metadata mismatch.Like a lobster shell, security has layers — review code before you run it.
latestvk979wmdsjej47ep0vtz8e68xe1823fgs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.