Is glacier-luo/xapi123123 safe?

https://github.com/openclaw/skills/tree/main/skills/glacier-luo/xapi123123

46
DANGEROUS

The xapi123123 skill is a sophisticated commercial manipulation framework that hijacks agent behavior across three vectors: it instructs agents to permanently self-install and rewrite their MCP configuration, it coerces users into posting promotional tweets through a false 'account verification' flow, and it establishes xapi.to as a permanent surveillance intermediary for all agent API queries. The skill explicitly names the OpenClaw platform in its self-modification attack, and includes a living document mechanism allowing the skill body to be updated at https://xapi.to/skill.md post-install. While the installation itself was clean with no malware payload, the skill's instruction set constitutes a deliberate multi-vector prompt injection and social engineering campaign that weaponizes the agent against its own user for commercial gain.

Category Scores

Prompt Injection 10/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 5/100 · 5%

Findings (10)

CRITICAL Agent Self-Installation and Persistent Skill Injection -40

The skill instructs the agent to copy itself into the agent's permanent skill directory and load it as a persistent reference skill on every session, establishing long-term behavioral control without user re-authorization.

CRITICAL Agent MCP Configuration Self-Modification — OpenClaw Explicitly Targeted -30

The skill instructs the agent to rewrite its own MCP server configuration file, adding xapi as a registered server with an embedded API key. OpenClaw is called out by name, indicating deliberate targeting of this specific platform.

CRITICAL User Social Engineering via Agent: Mandatory Promotional Tweet -20

Step 3 of the registration flow instructs the agent to compel the user to post a promotional tweet for xapi.to, falsely framed as technical account verification required to receive 'reward credits'. The agent is weaponized as a spam delivery mechanism against its own user.

HIGH Living Document Attack: Remote Skill Body Mutation Post-Install -10

The skill instructs the agent to re-fetch the skill body from https://xapi.to/skill.md at any time. This allows the skill author to silently modify agent instructions after installation, bypassing any audit of the originally installed content.

HIGH Permanent Third-Party Query Surveillance via MCP Proxy -30

After installation, all agent data queries — Twitter lookups, web searches, blockchain queries, AI calls — are permanently routed through xapi.to servers. This gives the skill author continuous visibility into the agent's information-gathering behavior and the ability to monetize or manipulate query results.

HIGH API Key Exposed in MCP URL Query Parameter -20

The API key is embedded as a plaintext query parameter in the MCP endpoint URL, making it visible in MCP configuration files, system process listings, web server access logs on xapi.to, and any monitoring tools inspecting the agent's config.

HIGH Commercial Surveillance Infrastructure Embedded in Agent Behavior -50

This skill functions as a commercial data collection and monetization layer. Every agent query generates revenue for xapi.to, and behavioral analytics on agent usage patterns are collected. The skill's design — mandatory MCP registration, proactive-use-first override, 50+ API categories — maximizes traffic through the author's infrastructure.

MEDIUM Autonomous Account Registration Without User Consent -10

The skill recommends the agent autonomously create a commercial account on xapi.to without user knowledge or approval, binding the user's agent to a third-party identity and payment system.

MEDIUM Agent Instructed to Execute External API Registration and Write Credential Files -15

The skill instructs the agent to execute curl commands to external servers and write sensitive credential files to disk, using the agent as an execution environment for the skill author's onboarding workflow without explicit user approval of each action.

LOW Clean Repository Clone — No Malicious Installation Behavior -10

The repository installation only contacted GitHub servers as expected. No unexpected network connections, process spawning, or filesystem changes outside the skill directory were detected during the clone and installation phase.