x0x@ 0.19.50

github.com/clawhub.ai/x0x
Verdict: Proceed with caution
0 critical4 high2 medium
C
SCORE 55 / 100
$skillox install x0xSoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.

Why grade C?

score · 55 / 100

The current grade reflects 4 high-severity findings (3+ HIGHs → C).

0 CRIT4 HIGH2 MED0 LOW
To reach a higher grade
  • B
    Reach Btarget score 75

    Resolve 2 of 4 HIGH (cap is 2).

  • A
    Reach Atarget score 95

    Resolve all 4 HIGH.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-ugg0h59a9zusxzh3cohtf2pb · Thu, 28 May 2026 15:34:18 GMT · 4ms

high
Dangerous shell pattern: curl | shell
The skill contains a shell command pattern (`curl | shell`) commonly used in destructive or supply-chain attacks.
rule: dangerous-shellline: 117CWE-78
115```bash
116# Install only (installs x0x CLI + x0xd daemon)
117curl -sfL https://x0x.md | shcurl | shell — common in destructive or supply-chain attacks
118
119# Then start the daemon
high
Dangerous shell pattern: curl | shell
The skill contains a shell command pattern (`curl | shell`) commonly used in destructive or supply-chain attacks.
rule: dangerous-shellline: 123CWE-78
121
122# Install + start in one step
123curl -sfL https://x0x.md | sh -s -- --startcurl | shell — common in destructive or supply-chain attacks
124
125# Fallback if x0x.md is unreachable (same script, from GitHub)
high
Dangerous shell pattern: curl | shell
The skill contains a shell command pattern (`curl | shell`) commonly used in destructive or supply-chain attacks.
rule: dangerous-shellline: 126CWE-78
124
125# Fallback if x0x.md is unreachable (same script, from GitHub)
126curl -sfL https://raw.githubusercontent.com/saorsa-labs/x0x/main/scripts/install.sh | shcurl | shell — common in destructive or supply-chain attacks
127
128# Autostart on boot (systemd on Linux, launchd on macOS)
high
Dangerous shell pattern: curl | shell
The skill contains a shell command pattern (`curl | shell`) commonly used in destructive or supply-chain attacks.
rule: dangerous-shellline: 129CWE-78
127
128# Autostart on boot (systemd on Linux, launchd on macOS)
129curl -sfL https://x0x.md | sh -s -- --autostartcurl | shell — common in destructive or supply-chain attacks
130```
131
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
med
Link text shows "security.md" but points at github.com
The visible link text contains the domain `security.md`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
rule: anchor-href-mismatchline: 82CWE-601
806 bootstrap nodes (NYC, SFO, Helsinki, Nuremberg, Singapore, Tokyo) provide initial discovery and NAT traversal — they never see your data.
81
82For security details (algorithms, RFCs, key pinning), see [docs/security.md](https://github.com/saorsa-labs/x0x/blob/main/docs/security.md).text→security.md · href→github.com
83
84## Identity: Three Layers
View latest scan →
skillox.io/c/x0x