Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OKX Trade Kit
v1.0.1Setup, install, and use OKX Agent Trade Kit — the official OKX toolkit for AI-powered trading. Use this skill whenever the user mentions: OKX trading, agent...
⭐ 0· 275·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the SKILL.md are coherent: this is an OKX trading toolkit (market data, trading, portfolio, bots). However the registry metadata declared no required binaries or credentials while SKILL.md explicitly requires Node.js (Node 18+) and instructs using npm/npx to install packages — an undocumented dependency. This mismatch is likely sloppy metadata but worth calling out.
Instruction Scope
Instructions stay inside the claimed scope (installing the toolkit, configuring ~/.okx/config.toml with API keys, demo vs live, and example NL trading commands). They explicitly tell users not to paste API keys in chat and recommend sub-accounts and demo mode. One operational concern: SKILL.md suggests running installation commands (npx/npm) which will fetch and run remote code — expected for this purpose but increases runtime risk if the downloaded package is unverified. Instructions do not ask to read unrelated system files or exfiltrate data.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md tells users to run `npx skills add okx/agent-skills` and `npm install -g @okx_ai/okx-trade-mcp` — i.e., npm/npx installs from remote registries. npm/npx downloads and runs remote code at install/run time; this is a common way to install Node tools but is a moderate risk compared to purely instruction-only skills with no network installs. The SKILL.md points to GitHub and okx domains (expected), but the skill gives no guidance on verifying package integrity or pinned versions.
Credentials
Registry metadata lists no required env vars or credentials, yet SKILL.md requires creating ~/.okx/config.toml with API keys/secret/passphrase (demo and live). Storing exchange API credentials locally is expected for a trading toolkit, and the SKILL.md recommends least-privilege (sub-account, no withdrawal rights) and demo mode. The mismatch between metadata and the runtime need for credentials should be resolved by the publisher, but the credential request itself is proportionate to the stated purpose.
Persistence & Privilege
The skill is user-invocable, not always: true, and does not request persistent elevated privileges or modifications to other skills. Nothing in the materials asks the skill to alter other agent configs or grant itself platform-wide privileges.
What to consider before installing
This instruction-only skill looks like a legitimate OKX trading toolkit, but there are a few things to check before installing: 1) Metadata omitted Node/npm as required — SKILL.md requires Node.js 18+ and uses npx/npm to fetch packages. Make sure you have a trustworthy source (confirm the GitHub repo and npm package names and prefer pinned versions). 2) npx/npm will download and run remote code at install time — only proceed if the package is from the official OKX organization and you trust the release. 3) The skill stores API credentials in ~/.okx/config.toml — follow its advice: use a sub-account with no withdrawal permission, test in demo mode first, and never paste keys into chat. 4) Because this is instruction-only, static scanning couldn’t inspect code; if possible, review the GitHub repository (https://github.com/okx/agent-trade-kit) and npm package contents before running npx or npm install. 5) If you want to minimize risk, run the MCP/tooling in read-only or demo mode first and consider running installations in an isolated environment (VM or container).Like a lobster shell, security has layers — review code before you run it.
latestvk97achffx2wvgg0230qc780tns84jsvw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.