Is jasonxkensei/xproof safe?

The skill recommends adding https://xproof.app/mcp as a named MCP server in the agent's configuration. Unlike the SKILL.md which is a static file reviewed at install time, an MCP server connection is live and can dynamically define tools, modify tool schemas, and potentially issue instructions to the connected agent at runtime. If xproof.app is compromised, changes ownership, or operates adversarially, this channel would allow it to influence agent behavior across all future sessions for any user who has integrated the MCP server.

The 'content' field in certification requests sends actual plaintext to xproof.app servers for server-side hashing. Despite the claim that original text is not stored on-chain or persistently, the text necessarily traverses xproof.app's infrastructure and is processed in memory. An agent following this skill to certify 'decisions', 'reports', or 'agent outputs' will routinely send sensitive plaintext to a third-party commercial service. There is no technical enforcement preventing xproof.app from logging this content.

The x402 payment path allows an agent to autonomously initiate USDC payments on the Base blockchain without requiring explicit per-transaction user approval. The skill instructs the agent to detect 402 responses, parse payment instructions, and resubmit with payment headers — a fully autonomous financial transaction flow. At $0.05 per certification and batch endpoints supporting up to 50 items, an agentic pipeline could incur significant costs or execute blockchain transactions without user awareness.

The skill's Resources section references https://xproof.app/llms.txt and https://xproof.app/llms-full.txt — filenames specifically designed for consumption by LLM agents (following the emerging llms.txt convention). If an agent is directed to consult these resources for API details, and if xproof.app's content is ever compromised or adversarial, these files become a prompt injection vector with elevated trust because they are referenced directly by the installed skill.

Even when using the hash-only mode (which does not transmit plaintext), the metadata object is sent to and stored by xproof.app. Example metadata includes agent names, pipeline identifiers, and filenames. Over time this creates a third-party record of an organization's internal agent workflows, deployment pipelines, and file naming conventions — potentially valuable for reconnaissance.

Installation was limited to a sparse git clone of the openclaw/skills monorepo on GitHub and a file copy to the install directory. No connections to xproof.app or any unexpected hosts were observed. No unexpected processes were spawned. The only files written were SKILL.md and _meta.json.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were read-only accessed by the oathe monitoring system for baseline capture and by sshd for SSH authentication. No modification, exfiltration, or data-matching network traffic was detected. The skill installs with zero canary impact.