xo-protocol 安全扫描报告 — 可信 | ClawSafe

5 /100

xo-protocol

Dating intelligence API for identity verification, compatibility scoring, and reputation through XO Protocol

XO Protocol is a legitimate dating intelligence API SDK with no security issues found. All behavior is properly documented, network access is limited to the declared API endpoint, and no sensitive operations are performed.

技能名称xo-protocol

分析耗时42.4s

引擎pi

✓

可以安装

No action required. The skill is safe to use as documented.

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	sdk/index.js:11 - fetch calls to BASE_URL
文件系统	`NONE`	`NONE`	—	No file I/O operations found
命令执行	`NONE`	`NONE`	—	No subprocess or exec calls found
环境变量	`READ`	`READ`	✓ 一致	examples/mcp-server.js:33-34 - reads XO_API_KEY, XO_ACCESS_TOKEN
技能调用	`NONE`	`NONE`	—	No skill invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser automation found
数据库	`NONE`	`NONE`	—	No database access found

16 项发现

🔗

中危外部 URL 外部 URL

https://xoxo.space/en/protocol

README.md:11

🔗

中危外部 URL 外部 URL

https://protocol.xoxo.space/protocol/docs

README.md:12

🔗

中危外部 URL 外部 URL

https://yourapp.com/callback

README.md:51

🔗

中危外部 URL 外部 URL

https://protocol.xoxo.space/protocol/v1/auth/token

README.md:225

🔗

中危外部 URL 外部 URL

https://xoxo.space/en/oauth/authorize

README.md:235

🔗

中危外部 URL 外部 URL

https://yourapp.com/callback?code=AUTH_CODE&state=random123

README.md:245

🔗

中危外部 URL 外部 URL

https://tools.ietf.org/html/rfc7807

README.md:309

🔗

中危外部 URL 外部 URL

https://xoxo.space/en/protocol#cta

README.md:324

🔗

中危外部 URL 外部 URL

https://xoxo.space

README.md:330

🔗

中危外部 URL 外部 URL

https://yourapp.com/auth/xo/callback

examples/dating-app-integration.js:19

🔗

中危外部 URL 外部 URL

https://protocol.xoxo.space

examples/mcp-server.js:34

🔗

中危外部 URL 外部 URL

https://xoxo.space/en/oauth/authorize?$

examples/quickstart.js:34

🔗

中危外部 URL 外部 URL

https://xoxo.space/protocol

examples/trust-badge.html:139

🔗

中危外部 URL 外部 URL

https://xoxo.space/en/oauth/authorize?client_id=...&redirect_uri=...&scope=...&state=...&response_type=code

openapi.yaml:26

🔗

中危外部 URL 外部 URL

https://staging-api.rooit.net

openapi.yaml:93

🔗

中危外部 URL 外部 URL

https://myapp.com/callback

sdk/index.js:56

目录结构

10 文件 · 69.8 KB · 2327 行

JavaScript 4f · 796L YAML 1f · 748L Markdown 2f · 419L HTML 1f · 243L TypeScript 1f · 105L JSON 1f · 16L

├─ ▾ 📁 examples

│ ├─ 📜 dating-app-integration.js JavaScript 140L · 4.1 KB

│ ├─ 📜 mcp-server.js JavaScript 217L · 5.7 KB

│ ├─ 📜 quickstart.js JavaScript 171L · 4.7 KB

│ └─ 📄 trust-badge.html HTML 243L · 8.5 KB

├─ ▾ 📁 sdk

│ ├─ 📜 index.d.ts TypeScript 105L · 2.4 KB

│ ├─ 📜 index.js JavaScript 268L · 8.4 KB

│ └─ 📋 package.json JSON 16L · 416 B

├─ 📋 openapi.yaml YAML 748L · 22.7 KB

├─ 📝 README.md Markdown 336L · 10.3 KB

└─ 📝 SKILL.md Markdown 83L · 2.7 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`@modelcontextprotocol/sdk`	`*`	npm	否	Only required for MCP server example, not main SDK
`express`	`*`	npm	否	Only in dating-app-integration example, not required
`express-session`	`*`	npm	否	Only in dating-app-integration example, not required

安全亮点

✓ Zero-dependency SDK using native fetch - minimal supply chain risk

✓ Full OAuth 2.0 implementation with PKCE support for public clients

✓ Proper credential handling - secrets read from environment, not hardcoded in production

✓ Ephemeral tmp_id tokens with 24h TTL - privacy-preserving design

✓ No filesystem writes or shell execution

✓ All functionality fully documented in SKILL.md

✓ Dual authentication (API key + JWT) for API access

✓ Standard REST API client pattern - no suspicious network patterns

✓ SDK exports only safe API client methods

✓ No obfuscation, base64-encoded payloads, or hidden instructions