技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.2.0
统计:⭐ 5 · 1.8k · 11 current installs · 11 all-time installs
⭐ 5
安装量(当前) 11
🛡 VirusTotal :良性 · OpenClaw :良性
Package:atyachin/xpoz-setup
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill's code and instructions consistently perform an OAuth setup against mcp.xpoz.ai using mcporter and a headless PKCE flow; the requested operations and files are proportional to the stated purpose.
目的
Name/description (Xpoz MCP OAuth setup) matches the implemented steps: checking mcporter, registering the MCP server, running a browser or headless PKCE flow, and configuring mcporter with a bearer token. Required binary (mcporter) and network hosts (mcp.xpoz.ai, www.xpoz.ai) are appropriate for this purpose.
说明范围
SKILL.md instructs only to run local checks, call mcporter, perform OAuth (either via browser or a manual headless flow), and wait for the user-provided code. It does not ask to read unrelated files or exfiltrate data to unexpected endpoints — network activity is limited to Xpoz endpoints. The script stores transient PKCE state in a restricted cache directory and does not print tokens.
安装机制
There is no install spec (instruction-only skill) and the included shell/python script is small and local. No downloads from third-party URLs or archive extraction are performed. Risk from installation is low.
证书
The skill requests no environment variables or unrelated credentials. It only requires the mcporter binary and network access to Xpoz domains, which aligns with the OAuth/configuration task. The bearer token obtained is used to configure mcporter — reasonable for this integration.
持久
The skill configures mcporter and therefore results in persistent storage of an Authorization header (bearer token) inside mcporter's configuration. This is expected for an OAuth setup but is a persistent secret the user should be aware of. always:false and normal autonomous invocation mean it does not force global inclusion.
综合结论
This skill appears to do exactly what it says: set up Xpoz OAuth and configure mcporter. Before installing, confirm you trust https://xpoz.ai and that mcporter is the correct, official tool included with your OpenClaw install. Be aware that the OAuth access token will be written into mcporter's configuration (persistent on disk) so if you want to revoke access later, remove the xpoz config entry or revoke the token from Xpoz. On headless serve…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Xpoz Setup」。简介:Set up and authenticate the Xpoz MCP server for social media intelligence. Requ…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/atyachin/xpoz-setup/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: xpoz-setup
description: "Set up and authenticate the Xpoz MCP server for social media intelligence. Required by all Xpoz skills. Handles server configuration, OAuth login, and connection verification with minimal user interaction."
homepage: https://xpoz.ai
metadata:
{
"openclaw":
{
"requires": { "bins": ["mcporter"], "network": ["mcp.xpoz.ai", "www.xpoz.ai"], "credentials": "Xpoz account (free tier) — obtained via Google OAuth during setup" },
},
}
tags:
- xpoz
- mcp
- setup
- oauth
- social-media
---
# Xpoz Setup
**Automatic MCP server setup and authentication for Xpoz — the social intelligence platform.**
This skill is a prerequisite for all Xpoz skills. It configures the Xpoz MCP server and handles OAuth login so your agent can access Twitter, Instagram, TikTok, and Reddit data.
---
## Agent Instructions
**If you're an agent reading this, follow these steps in order. The user should not need to run any commands.**
### Step 1: Check if already authenticated
```bash
mcporter call xpoz.checkAccessKeyStatus
```
- If `hasAccessKey: true` → **STOP. Xpoz is ready.** Return to the skill that sent you here.
- If it fails, returns `false`, or the server isn't configured → continue.
### Step 2: Check if mcporter is available
```bash
which mcporter
```
If not found, **stop and inform the user.** mcporter is included with OpenClaw — if it's missing, the OpenClaw installation may be incomplete. Do not install mcporter independently. Tell the user:
> "mcporter is required but not found. It's included with OpenClaw — please ensure OpenClaw is properly installed."
### Step 3: Add the Xpoz MCP server
```bash
mcporter config add xpoz https://mcp.xpoz.ai/mcp --auth oauth
```
This registers Xpoz as a remote HTTP MCP server with OAuth authentication. mcporter auto-discovers the OAuth endpoints from `https://mcp.xpoz.ai/.well-known/oauth-authorization-server`.
If the server already exists but auth failed, skip this step.
### Step 4: Detect environment (local vs remote)
Determine whether you're running on a local machine with a browser or a remote/headless server:
```bash
# Check for display server (Linux) or macOS
echo "DISPLAY=${DISPLAY:-unset} WAYLAND=${WAYLAND_DISPLAY:-unset} OS=$(uname)"
```
**Local machine** = any of these is true:
- `$DISPLAY` is set (Linux with X11)
- `$WAYLAND_DISPLAY` is set (Linux with Wayland)
- `uname` returns `Darwin` (macOS)
**Remote/headless** = none of the above.
Then follow the appropriate flow:
---
### Step 4a: LOCAL — Browser flow (automatic)
```bash
mcporter config login xpoz
```
mcporter opens the user's default browser, the user authorizes, the callback completes automatically. Tell the user:
> "I'm connecting you to Xpoz for social media intelligence. A browser window should open — just sign in with your Google account and click Authorize. That's all you need to do!"
Then skip to **Step 5**.
---
### Step 4b: REMOTE — Manual code flow
On a headless server, `mcporter config login xpoz` will crash trying to open a browser. Instead, handle the OAuth flow manually:
#### 4b-i. Build the authorization URL
Run this script to generate the OAuth authorization URL with PKCE:
```bash
bash "$(dirname "$0")/../xpoz-setup/scripts/oauth-remote.sh" get-url
```
Or if the script isn't available, build it manually:
```python
import secrets, hashlib, base64, urllib.parse, os
os.makedirs(os.path.expanduser('~/.cache/xpoz-oauth'), exist_ok=True)
# Generate PKCE
verifier = secrets.token_urlsafe(64)
challenge = base64.urlsafe_b64encode(hashlib.sha256(verifier.encode()).digest()).rstrip(b'=').decode()
state = secrets.token_urlsafe(32)
params = {
'response_type': 'code',
'code_challenge': challenge,
'code_challenge_method': 'S256',
'redirect_uri': 'https://www.xpoz.ai/oauth/openclaw',
'state': state,
'scope': 'mcp:tools',
'resource': 'https://mcp.xpoz.ai/',
}
# Step 1: Dynamic client registration
import json, urllib.request
reg_req = urllib.request.Request(
'https://mcp.xpoz.ai/oauth/register',
data=json.dumps({
'client_name': 'OpenClaw Agent',
'redirect_uris': ['https://www.xpoz.ai/oauth/openclaw'],
'grant_types': ['authorization_code'],
'response_types': ['code'],
'token_endpoint_auth_method': 'none',
}).encode(),
headers={'Content-Type': 'application/json'},
)
reg_resp = json.loads(urllib.request.urlopen(reg_req).read())
params['client_id'] = reg_resp['client_id']
auth_url = 'https://mcp.xpoz.ai/oauth/authorize?' + urllib.parse.urlencode(params)
# Save state for later token exchange
with open(os.path.expanduser('~/.cache/xpoz-oauth/state.json'), 'w') as f:
json.dump({'verifier': verifier, 'state': state, 'client_id': reg_resp['client_id'], 'redirect_uri': params['redirect_uri']}, f)
print(auth_url)
```
#### 4b-ii. Send the URL to the user
Send the authorization URL to the user via the active chat channel with a message like:
> "I need to connect to Xpoz for social media search. Please open this link and sign in with your Google account:
>
> [authorization URL]
>
> After you authorize, Xpoz will show you an authorization code. Just paste it back to me here!"
#### 4b-iii. WAIT for the user's reply
**STOP here and wait.** Do not proceed until the user replies with the authorization code. The user needs time to open the link, sign in, and authorize. Only continue once they paste the code back in chat.
#### 4b-iv. Extract the code from the user's reply
The user will paste back either:
- Just the code: `AUTH_CODE_HERE`
- Or a full URL: `https://www.xpoz.ai/oauth/openclaw?code=AUTH_CODE_HERE&state=...`
If they pasted a URL, extract the `code` parameter. If they pasted a raw string, use it directly.
#### 4b-v. Exchange the code and configure mcporter
Run the exchange script with the code. This exchanges the code for a token and configures mcporter **in one step** — the token is never printed or exposed:
```bash
bash "$(dirname "$0")/../xpoz-setup/scripts/oauth-remote.sh" exchange AUTH_CODE_HERE
```
Expected output: `OK: Xpoz configured successfully`
**Security notes:**
- The access token is never printed to stdout or logs
- The OAuth state file (`~/.cache/xpoz-oauth/state.json`) is automatically deleted after exchange
- Tokens are stored only in the mcporter config
Then proceed to **Step 5** to verify.
---
### Step 5: Verify authentication
```bash
mcporter call xpoz.checkAccessKeyStatus
```
Confirm `hasAccessKey: true`. If not:
- **Local:** Retry `mcporter config login xpoz`
- **Remote:** Ask the user if they completed authorization, resend the link if needed
### Step 6: Return to the calling skill
Setup is complete. Go back to the skill that referenced this one and continue fulfilling the user's request. Don't make the user wait — they asked you to do something, auth was just a prerequisite.
---
## What Is Xpoz?
Xpoz is a remote MCP server for social media intelligence:
- **Platforms:** Twitter, Instagram, TikTok, Reddit
- **Scale:** 1.5B+ posts indexed
- **Features:** Search posts by keyword, find people by topic, profile lookup, engagement filtering, CSV export
- **Auth:** OAuth 2.1 with dynamic client registration (PKCE, public clients)
- **Setup:** Fully remote — no npm packages, no local installation, no API keys to copy
**Free tier available** — no credit card required.
Website: [xpoz.ai](https://xpoz.ai)
---
## Technical Details
### OAuth Discovery
Xpoz publishes a standard OAuth 2.1 authorization server metadata document:
```
GET https://mcp.xpoz.ai/.well-known/oauth-authorization-server
```
Key endpoints:
- **Authorization:** `https://mcp.xpoz.ai/oauth/authorize`
- **Token:** `https://mcp.xpoz.ai/oauth/token`
- **Dynamic registration:** `https://mcp.xpoz.ai/oauth/register`
- **PKCE:** S256 supported
- **Public clients:** `token_endpoint_auth_methods_supported` includes `none`
mcporter handles all of this automatically — you don't need to call these endpoints directly.
### Server Configuration
After setup, the mcporter config will contain:
```json
{
"xpoz": {
"transport": "http",
"url": "https://mcp.xpoz.ai/mcp"
}
}
```
OAuth tokens are managed by mcporter separately from the server config.
---
## Troubleshooting
| Problem | Solution |
|---------|----------|
| `mcporter` not found | Ensure OpenClaw is properly installed (mcporter is included) |
| Browser doesn't open | Headless server — capture the URL from stdout and send to user |
| "Unauthorized" after login | `mcporter config login xpoz --reset` |
| Auth times out | User may not have completed the browser flow — resend the URL |
| Server already exists | Skip Step 3, just run Step 4 |
---
## Plans & Pricing
| Plan | Price | Includes |
|------|-------|----------|
| Free | $0/mo | Limited searches, all platforms |
| Pro | $20/mo | Unlimited searches |
| Max | $200/mo | Unlimited + priority + bulk export |
Details: [xpoz.ai](https://xpoz.ai)
---
**Built for ClawHub • Prerequisite for all Xpoz skills**