ClawHub

DEX Aggregator Quote

v1.0.0

Fetch optimal swap quotes from OKX DEX Aggregator API (v6). Use this skill when a user wants to: 1. Get the best price for swapping tokens on any supported E...

2· 534·0 current·0 all-time
byEz Orion@aaronllee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md and the included Python client clearly implement an OKX DEX aggregator quote client and require OKX API credentials (OKX_ACCESS_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE). Requiring those secrets is appropriate for this purpose. However, the package/registry metadata lists zero required environment variables and the skill 'Source' is 'unknown' with no homepage — a provenance/metadata mismatch that reduces trust.
Instruction Scope
The instructions focus on constructing authenticated GET requests to https://web3.okx.com/api/v6/dex/aggregator/quote, handling decimals, signing with HMAC-SHA256, validating addresses, and presenting results. They do not ask the agent to read unrelated files, contact unrelated endpoints, or exfiltrate other data.
Install Mechanism
There is no install spec (instruction-only + a bundled Python script). The only third-party dependency is 'requests' (raised as ImportError if missing). No downloads from arbitrary URLs or archive extraction are present.
!
Credentials
The code and SKILL.md require three OKX credentials (access key, secret, passphrase), which is proportionate to calling a signed OKX API. However, the registry metadata omits these required env vars, which is a concrete inconsistency. Also the skill owner and source are not linked to a verifiable homepage or repo, increasing supply-chain risk for handing over credentials.
Persistence & Privilege
The skill does not request always:true, does not alter other skills or system settings, and does not request persistent elevated privileges. It reads only its own required environment variables and opens HTTPS requests to web3.okx.com.
What to consider before installing
This skill appears to implement an OKX DEX quote client and legitimately needs OKX API credentials, but the registry metadata does not declare those required env vars and the package has no verifiable source or homepage. Before installing: 1) Confirm the skill publisher identity and prefer a skill with a verifiable GitHub/npm/pypi repo or homepage. 2) Do not reuse high-privilege exchange keys — create a limited-read-only OKX Web3 API key or a throwaway account for testing. 3) Inspect the full get_quote implementation (the bundle is partial here) and run it in an isolated environment. 4) If you proceed, keep secrets in a secure store (not inlined) and monitor outgoing network calls to ensure they only target web3.okx.com. If the missing metadata (declared env vars, homepage/source) cannot be explained, treat this package with caution or prefer a better-documented alternative.

Like a lobster shell, security has layers — review code before you run it.

aggregatorvk97etxca0jn96bnw1ewsgk2dz181gn35defivk97etxca0jn96bnw1ewsgk2dz181gn35dexvk97etxca0jn96bnw1ewsgk2dz181gn35latestvk97etxca0jn96bnw1ewsgk2dz181gn35okxvk97etxca0jn96bnw1ewsgk2dz181gn35okx dexvk97etxca0jn96bnw1ewsgk2dz181gn35quotevk97etxca0jn96bnw1ewsgk2dz181gn35swapvk97etxca0jn96bnw1ewsgk2dz181gn35web3vk97etxca0jn96bnw1ewsgk2dz181gn35

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments