📦 X0x
v0.17.4Clawhub DistSecure:AI代理的计算机对计算机安全网络——八卦广播、直接消息、CRDT、群组加密。后量子加密,穿透NAT。E...
0· 21·0 当前·0 累计
by 下载技能包
最后更新
2026/4/20
安全扫描
OpenClaw
可疑
medium confidence该技能似乎是一个真实的 P2P 网络守护进程(x0x),其代码和说明与描述相符,但存在多处元数据/指令不一致,以及若干安装/更新模式(curl | sh、去中心化自更新),安装前需谨慎。
评估建议
Plain-language next steps and cautions before installing:
1) Metadata inconsistencies: The registry summary indicated “instruction-only / no install spec”, but SKILL.md includes an install manifest and the repository contains full source and binaries — treat this as a full software package, not a tiny helper. The declared required binaries list only curl while installation/extraction will use tar/unzip/cp/chmod — ensure those tools exist.
2) Prefer safe install paths: Avoid piping unknown remo...详细分析 ▾
✓ 用途与能力
Name/description (P2P gossip, CRDTs, NAT traversal, post‑quantum crypto) align with the included source tree (Rust binaries x0xd/x0x, bindings, docs, tests) and Cargo.toml dependencies. The codebase and APIs present are consistent with the declared purpose.
⚠ 指令范围
SKILL.md contains explicit install/run instructions that read local files (e.g., API port and api-token under the data dir) and instruct starting a daemon and enabling autostart. The runtime instructions reference local token files and REST API usage but the registry metadata does not declare those config paths or any env vars — a metadata/instruction mismatch. The instructions also recommend piping remote scripts (https://x0x.md | sh), which grants the remote script broad discretion on the host.
⚠ 安装机制
The in-markdown install metadata points to GitHub release archives (reasonable), but the prose also recommends `curl -sfL https://x0x.md | sh` and a raw.githubusercontent.com fallback. `curl | sh` is a common but high-risk pattern because it executes remote code without local inspection. The manifest's downloads are from GitHub releases (expected), but the presence of a separate short domain (x0x.md) used as the primary install route increases risk unless you verify it maps to the project owners. Also: SKILL.md's install steps extract archives (tar/zip) yet the declared required binaries list only `curl` — mismatch with required tools to perform extraction.
ℹ 凭证需求
The skill declares no required environment variables or credentials (primaryEnv: none), which matches most of the content. Runtime docs show the daemon writes/reads keys and tokens in ~/.x0x and data directories and the CLI reads an api-token file to call the local REST API — this is coherent for a local daemon. However the self-update subsystem (monitor/rollout) polls GitHub and rebroadcasts manifests into the gossip network; that design is powerful and acceptable for an updater but increases the importance of reliable signature verification and key management (the repo claims ML-DSA-65 signatures and an embedded release public key). No external credentials are requested, so env/credential scope is proportionate, but the automatic update/gossip propagation is a significant capability that should be understood before enabling.
ℹ 持久化与权限
always:false (not force-installed). The skill offers optional autostart and a daemon (x0xd) that installs into ~/.local/bin and can be set to autostart. The self-update system can poll GitHub and rebroadcast manifests across the P2P network; nodes may apply updates automatically if manifests verify. This is a legitimate feature for a distributed daemon, but it raises persistence/privilege implications (automatic updates, autostart, network-wide update gossip) and therefore should be reviewed and controlled (verify signatures, consider disabling auto-apply in sensitive environments).
⚠ bindings/nodejs/index.js:41
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.17.42026/4/20
同步至上游 x0x 0.17.4。自 0.14.9 起新增:Phase-E 命名组(MLS state-commit 链)、Phase C.2 基于分片八卦的分布式发现、带写权限控制的 SignedPublic 消息平面、x0x.groups.public 亚秒级 GUI WS 推送、按 data-dir 隔离的 agent.cert(修复单主机多守护进程身份踩踏)、ant-quic 0.26.13 + saorsa-gossip 0.5.16(关闭 VPS 跨守护进程 DM/SSE/组请求/文件传输级联)。安装层不变——二进制仍通过 GitHub releases-latest 分发。
● 无害
安装命令
点击复制官方npx clawhub@latest install x0x-clawhub-dist
镜像加速npx clawhub@latest install x0x-clawhub-dist --registry https://cn.longxiaskill.com