📦 x0x — 安全AI组网
v0.17.4为AI代理提供端到端加密、抗量子、NAT穿透的P2P网络,支持gossip广播、私聊、CRDT同步与群组加密,零信任安全。
1· 139·0 当前·0 累计
by 下载技能包
最后更新
2026/4/20
安全扫描
OpenClaw
安全
medium confidenceThe skill's declared purpose (peer-to-peer, post‑quantum agent networking) aligns with its files and runtime instructions; it requires installing and running a network daemon and self‑updating binaries, which is powerful but coherent with the stated goal.
评估建议
This package appears to be what it says: a full peer‑to‑peer networking daemon and CLI. Key things to consider before installing:
- Inspect the installer: the SKILL.md suggests running curl | sh (https://x0x.md). Prefer downloading the GitHub release tarball directly or review the install script before piping to a shell. Verify release signatures as documented.
- Review the release signing key and verification steps in docs/GPG_SIGNING.md or docs/VERIFICATION.md before enabling auto-update. The...详细分析 ▾
✓ 用途与能力
Name/description, CLI/daemon behavior, and the large Rust/Bindings codebase are consistent: this is a full P2P daemon (x0xd) + CLI (x0x) providing gossip, direct messaging, CRDTs, MLS groups, NAT traversal and file transfer. The single declared runtime dependency (curl) and no extra unrelated env vars match the installation and usage instructions.
ℹ 指令范围
SKILL.md instructs installing prebuilt binaries or using an install script, starting a daemon that generates keypairs in ~/.x0x, reading local API files (api.port, api-token) for REST use, and running network operations. All these actions are within scope for a networking daemon. Two items warrant attention: (1) the install path includes curl | sh (remote install script), which is a high‑impact action to review before running; (2) the daemon performs self‑update and gossip rebroadcast of manifests, which is functionally expected but increases runtime power and network effects.
ℹ 安装机制
Install metadata and SKILL.md use GitHub releases and raw.githubusercontent URLs (well-known hosts) and extract binaries into ~/.local/bin — standard. A backup/primary install step points to https://x0x.md which is an external domain (likely a project redirector); curl | sh installation is convenient but risky if not inspected. No obscure third‑party download hosts or IP addresses are used in the provided manifests.
✓ 凭证需求
The skill requests no environment credentials and does not enumerate unrelated secret env vars. It reads and writes local identity/key files under ~/.x0x and API token/port files in the data directory — behavior consistent with a local agent/daemon that exposes a REST API. No extraneous credential or system config access was requested in the metadata.
ℹ 持久化与权限
The skill is not always:true and does not require elevated platform privileges in metadata. However, it installs and runs a long‑lived daemon (x0xd) which can autostart, open network connections, and perform automatic self‑updates and gossip rebroadcasts. Autonomous model invocation plus a network daemon and self‑update capability increases blast radius and should be accepted consciously by the user (not a silent/forced privilege in metadata).
⚠ bindings/nodejs/index.js:41
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.17.42026/4/2
Sync to upstream x0x 0.17.4. Since 0.14.9: Phase-E named groups (MLS state-commit chain), Phase C.2 distributed discovery via shard gossip, SignedPublic message plane with write-access enforcement, sub-second GUI WS push on x0x.groups.public, data-dir-scoped agent.cert (fixes multi-daemon-per-host identity trampling), ant-quic 0.26.13 + saorsa-gossip 0.5.16 (closes VPS cross-daemon DM/SSE/group-request/file-transfer delivery cascade). Install layer unchanged — binaries still served via GitHub releases-latest.
● 无害
安装命令
点击复制官方npx clawhub@latest install x0x
镜像加速npx clawhub@latest install x0x --registry https://cn.longxiaskill.com