Safety Report

Xpoz Setup

Name: Xpoz Setup
Rating: 5 (4 reviews)
Author: atyachin

Set up and authenticate the Xpoz MCP server for social media intelligence. Required by all Xpoz skills. Handles server configuration, OAuth login, and connection verification with minimal user interaction.

1,496Downloads

10Installs

4Stars

3Versions

API Integration4,971 Video & Audio1,618 Social Media1,367 DevOps & Infrastructure1,045

Security Analysis

high confidence

Clean0.04 risk

The skill's code and instructions consistently perform an OAuth setup against mcp.xpoz.ai using mcporter and a headless PKCE flow; the requested operations and files are proportional to the stated purpose.

Feb 11, 20262 files1 concern

Purpose & Capabilityok

Name/description (Xpoz MCP OAuth setup) matches the implemented steps: checking mcporter, registering the MCP server, running a browser or headless PKCE flow, and configuring mcporter with a bearer token. Required binary (mcporter) and network hosts (mcp.xpoz.ai, www.xpoz.ai) are appropriate for this purpose.

Instruction Scopeok

SKILL.md instructs only to run local checks, call mcporter, perform OAuth (either via browser or a manual headless flow), and wait for the user-provided code. It does not ask to read unrelated files or exfiltrate data to unexpected endpoints — network activity is limited to Xpoz endpoints. The script stores transient PKCE state in a restricted cache directory and does not print tokens.

Install Mechanismok

There is no install spec (instruction-only skill) and the included shell/python script is small and local. No downloads from third-party URLs or archive extraction are performed. Risk from installation is low.

Credentialsok

The skill requests no environment variables or unrelated credentials. It only requires the mcporter binary and network access to Xpoz domains, which aligns with the OAuth/configuration task. The bearer token obtained is used to configure mcporter — reasonable for this integration.

Persistence & Privilegenote

The skill configures mcporter and therefore results in persistent storage of an Authorization header (bearer token) inside mcporter's configuration. This is expected for an OAuth setup but is a persistent secret the user should be aware of. always:false and normal autonomous invocation mean it does not force global inclusion.

Guidance

This skill appears to do exactly what it says: set up Xpoz OAuth and configure mcporter. Before installing, confirm you trust https://xpoz.ai and that mcporter is the correct, official tool included with your OpenClaw install. Be aware that the OAuth access token will be written into mcporter's configuration (persistent on disk) so if you want to revoke access later, remove the xpoz config entry or revoke the token from Xpoz. On headless servers the skill asks you to paste an authorization code into chat — don't paste any unrelated secrets. If you need stronger guarantees, inspect mcporter's config storage location and verify token handling after setup.

Latest Release

v1.2.0

Use standard OpenClaw metadata format for requires (bins, network, credentials)

More by @atyachin

Lead Generation

10 stars

Xpoz Social Search

6 stars

Social Sentiment

4 stars

Instagram Search

3 stars

Social Intelligence

3 stars

Expert Finder

2 stars

Published by @atyachin on ClawHub