Temp Skills
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a high-risk OKX trading instruction set that embeds account/API details and permits trades without clear credential handling or per-trade user approval.
Treat this as a Review item before installing. Rotate the exposed OKX API key if it is real, do not connect it to a live trading account, and only use a version that stores credentials securely, requires explicit confirmation for every trade, and clearly defines logging and notification behavior.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using or viewing the skill may expose or misuse account-level trading authority, and the key may already need rotation.
The skill embeds account identifiers and an API key with stated read and trading permissions, while the registry declares no required credentials.
**UID**: 406344003542497297 - **API Key**: 418d477d-7247-4df9-9270-66055550c1cc - **权限**: 读取 + 交易(无提现)
Do not install or use this with a real account until the key is removed, rotated, stored as a user-provided secret, and restricted to the minimum needed permissions such as read-only or testnet.
An agent following these instructions could place market-affecting or financially harmful orders if invoked incorrectly or without a clear confirmation step.
The instructions authorize high-impact trading and fund-transfer workflows but do not define explicit user approval, maximum order size, allowed instruments, or rollback controls.
**现货交易**: BTC/ETH/SOL等主流币种买卖 - **合约交易**: 永续合约、交割合约 - **资金管理**: 资产查询、资金划转 ... 3. 下单交易:`okx_place_order(symbol, side, price, size)`
Require per-order user confirmation, strict symbol and size limits, sandbox/testnet defaults, and a visible audit trail before enabling any live trading action.
Trade history or account activity could be retained somewhere the user does not expect.
The skill instructs that all trades must be logged, which is purpose-aligned for auditability but may store sensitive financial activity without specifying location, retention, or access controls.
- 所有交易必须记录日志
Clarify where logs are written, how long they are kept, who can read them, and how users can delete or export them.
Sensitive trading incidents or account information could be sent to an unclear third party if the agent has a messaging channel available.
The skill directs notifications to 'Steve' during abnormal conditions without defining who Steve is, what channel is used, or what information is shared.
- 异常情况立即暂停并通知Steve
Replace this with an explicit user-approved notification recipient and channel, and avoid sending account details unless the user confirms.