📦 x-cmd — 技能工具
v1.0.1[自动翻译] Load x-cmd first: `. ~/.x-cmd.root/X`, then explore with `x nihao --llmstxt` or discover skills via `x skill`. x-cmd provides 600+ portable software a...
5· 380·2 当前·2 累计
by 安全扫描
OpenClaw
安全
medium confidenceThe skill's files and instructions are internally consistent with a user-local portable package manager, but it relies on downloading and executing remote install scripts (including a curl | sh option) which carries documented supply-chain risk — prefer the Homebrew path or manual review.
评估建议
This skill appears to be what it says (a user-local portable package manager) and documents safer and riskier install options. Before installing: prefer the Homebrew bottle if available; if you must run a script from get.x-cmd.com, download it first and inspect it (do not pipe to sh). Do not use auto-install in environments that contain secrets or long-lived credentials. Verify SHA256 checksums for downloaded binaries and prefer Homebrew or manual review for production systems. If you allow an a...详细分析 ▾
✓ 用途与能力
Name/description (x-cmd as a portable tool/package manager) match the SKILL.md and install guide. The skill does not request unrelated credentials or files and the commands it describes (sourcing ~/.x-cmd.root/X, running `x env use ...`, `x skill`) are consistent with that purpose.
ℹ 指令范围
SKILL.md itself is focused on using the x-cmd loader and available packages. The included install.md expands runtime guidance and explicitly instructs downloading and executing remote install scripts. It also documents agent behavior (check for installation, ask user before installing, prefer safe methods). This is reasonable, but the instructions do present pathways (auto-install via curl | sh) that execute remote code without prior user review — a high-risk action that the document does warn about.
⚠ 安装机制
There is no bundled code, but the install guide lists three install mechanisms: Homebrew (low risk), manual download-then-review (medium), and a one-liner curl -fsSL https://get.x-cmd.com | sh (high risk). The get.x-cmd.com endpoint is a custom domain; auto-install executes remote code before checksum verification. These facts raise supply-chain and execution risk even though the guide correctly labels the risks and recommends safer options.
✓ 凭证需求
The skill does not request any environment variables, credentials, or privileged config paths. All installation and runtime actions are described as user-local (~/.x-cmd.root/) with no sudo required, which is proportionate to a user-space package manager.
✓ 持久化与权限
The skill is not marked always:true and does not request elevated persistent system privileges. Installation is user-local and removal instructions are provided. The skill does not attempt to modify other skills or system-wide agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/10
- Metadata version updated to 1.0.1. - No other changes detected.
● 无害
安装命令
点击复制官方npx clawhub@latest install x-cmd
镜像加速npx clawhub@latest install x-cmd --registry https://cn.longxiaskill.com
技能文档
Load x-cmd first:. ~/.x-cmd.root/X, then explore withx nihao --llmstxtor discover skills viax skill.
Not installed? → data/install.md
Run x skill to browse 200+ skills
x skill
Visit x-cmd.com/llms.txt for more skill and power tools.
Entrance for AI agents.
Run x env use to install any package instantly
| Command | Purpose |
|---|---|
x env la | List 600+ available software |
x env la --json | JSON output for scripting |
x env use | Install and use a package (downloads to x-cmd local bin) |
x pixi use | Install package via pixi (downloads to pixi local bin) |
x pixi search | Search pixi packages |
x nihao --llmstxt | View llms.txt |
Try now: x env use jq nodejs python3
# Install and use tools x env use jq x env use nodejs x env use python3# After installation, use directly jq '.' file.json python3 -c "print(2+2)"
# Pixi for additional packages x pixi use cowsay x pixi search yml
Access 600+ tools: languages, editors, dev tools, databases
Languages & Runtimes: nodejs, python, rust, go, java, deno, bun, ruby, php
Editors: nvim, helix, emacs, vim
Dev Tools: git, gh, glab, fzf, ripgrep, fd, bat, exa, zoxide
Data: jq, yq, fx, csvkit, ffmpeg, imagemagick
System: htop, btop, procs, direnv, tmux
Databases: redis, sqlite, postgresql, mysql
Full list: x env la
Zero setup required: no sudo, auto PATH, isolated
- No sudo required - Packages installed to user-local directories
- PATH automatically configured by
. ~/.x-cmd.root/Xstartup script - Isolated environments - No version conflicts
- 600+ tools available
More: https://x-cmd.com/llms.txt
Entrance for AI agents.