Scan Report
5 /100
xo-protocol
Dating intelligence API for identity verification, compatibility scoring, and reputation through XO Protocol
XO Protocol is a legitimate dating intelligence API SDK with no security issues found. All behavior is properly documented, network access is limited to the declared API endpoint, and no sensitive operations are performed.
Safe to install
No action required. The skill is safe to use as documented.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | sdk/index.js:11 - fetch calls to BASE_URL |
| Filesystem | NONE | NONE | — | No file I/O operations found |
| Shell | NONE | NONE | — | No subprocess or exec calls found |
| Environment | READ | READ | ✓ Aligned | examples/mcp-server.js:33-34 - reads XO_API_KEY, XO_ACCESS_TOKEN |
| Skill Invoke | NONE | NONE | — | No skill invocation found |
| Clipboard | NONE | NONE | — | No clipboard access found |
| Browser | NONE | NONE | — | No browser automation found |
| Database | NONE | NONE | — | No database access found |
16 findings
Medium External URL 外部 URL
https://xoxo.space/en/protocol README.md:11 Medium External URL 外部 URL
https://protocol.xoxo.space/protocol/docs README.md:12 Medium External URL 外部 URL
https://yourapp.com/callback README.md:51 Medium External URL 外部 URL
https://protocol.xoxo.space/protocol/v1/auth/token README.md:225 Medium External URL 外部 URL
https://xoxo.space/en/oauth/authorize README.md:235 Medium External URL 外部 URL
https://yourapp.com/callback?code=AUTH_CODE&state=random123 README.md:245 Medium External URL 外部 URL
https://tools.ietf.org/html/rfc7807 README.md:309 Medium External URL 外部 URL
https://xoxo.space/en/protocol#cta README.md:324 Medium External URL 外部 URL
https://xoxo.space README.md:330 Medium External URL 外部 URL
https://yourapp.com/auth/xo/callback examples/dating-app-integration.js:19 Medium External URL 外部 URL
https://protocol.xoxo.space examples/mcp-server.js:34 Medium External URL 外部 URL
https://xoxo.space/en/oauth/authorize?$ examples/quickstart.js:34 Medium External URL 外部 URL
https://xoxo.space/protocol examples/trust-badge.html:139 Medium External URL 外部 URL
https://xoxo.space/en/oauth/authorize?client_id=...&redirect_uri=...&scope=...&state=...&response_type=code openapi.yaml:26 Medium External URL 外部 URL
https://staging-api.rooit.net openapi.yaml:93 Medium External URL 外部 URL
https://myapp.com/callback sdk/index.js:56 File Tree
10 files · 69.8 KB · 2327 lines JavaScript 4f · 796L
YAML 1f · 748L
Markdown 2f · 419L
HTML 1f · 243L
TypeScript 1f · 105L
JSON 1f · 16L
├─
▾
examples
│ ├─
dating-app-integration.js
JavaScript
│ ├─
mcp-server.js
JavaScript
│ ├─
quickstart.js
JavaScript
│ └─
trust-badge.html
HTML
├─
▾
sdk
│ ├─
index.d.ts
TypeScript
│ ├─
index.js
JavaScript
│ └─
package.json
JSON
├─
openapi.yaml
YAML
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@modelcontextprotocol/sdk | * | npm | No | Only required for MCP server example, not main SDK |
express | * | npm | No | Only in dating-app-integration example, not required |
express-session | * | npm | No | Only in dating-app-integration example, not required |
Security Positives
✓ Zero-dependency SDK using native fetch - minimal supply chain risk
✓ Full OAuth 2.0 implementation with PKCE support for public clients
✓ Proper credential handling - secrets read from environment, not hardcoded in production
✓ Ephemeral tmp_id tokens with 24h TTL - privacy-preserving design
✓ No filesystem writes or shell execution
✓ All functionality fully documented in SKILL.md
✓ Dual authentication (API key + JWT) for API access
✓ Standard REST API client pattern - no suspicious network patterns
✓ SDK exports only safe API client methods
✓ No obfuscation, base64-encoded payloads, or hidden instructions