OKX Trader
v1.2.0Automated OKX trading skill with dual-grid strategies, auto-rescaling, and risk controls for managing orders and monitoring account performance.
⭐ 4· 2.1k·14 current·14 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name, README, SKILL.md, scripts, and lib/okx-client.js consistently implement an OKX grid trading agent and legitimately require OKX API credentials and local config files. However, the provided registry summary at the top of the package metadata (which listed 'Required env vars: none') conflicts with the included skill.json/README/SKILL.md that declare OKX API env vars and node as a required binary. This appears to be a packaging/metadata mismatch rather than a capability mismatch.
Instruction Scope
The SKILL.md and scripts instruct the agent to read and write local files under /root/.openclaw/workspace/okx_data (config.json, grid_settings.json, logs, snapshots) and to call OKX API endpoints for market data, orders, fills, and balances. These actions are within the stated purpose. Important runtime effects: the bot will perform real trades (unless OKX_IS_SIMULATION=true), can cancel/place orders, and will persist rescaled grid settings to grid_settings.json and append audit/snapshot files. There are no instructions to read unrelated system config or exfiltrate data to third-party endpoints.
Install Mechanism
No external install/download step is present; the package is delivered as code files. There are no external URLs, archive extracts, or third-party installers in the manifest. This is lower-risk from an install mechanics perspective.
Credentials
The skill requires OKX API key, secret, passphrase and an OKX_IS_SIMULATION flag (declared in skill.json and used as fallbacks in code). Those credentials are necessary and proportionate for a trading bot. The code reads creds from config.json or environment variables, which matches the declared envs. The only proportionality concern is the earlier metadata mismatch that omitted these required env vars — verify what the platform will actually request or provide when enabling the skill.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It persists state under /root/.openclaw/workspace/okx_data by updating grid_settings.json, writing audit logs, and saving daily snapshots. The manifest also includes cronTemplates for scheduled autonomous runs (every 5 minutes and hourly/daily tasks). Combined with normal autonomous invocation, this means the skill can place/cancel orders on a schedule — a normal behavior for a trading bot but operationally impactful if run against live funds.
Assessment
This package appears to implement what it claims (an OKX grid trading bot) and asks for the expected OKX API keys. Before enabling or running it: 1) Use a dedicated test account and set OKX_IS_SIMULATION=true to confirm behavior; do not use main funds until you’ve tested. 2) Create API keys with the minimal required permissions (enable Trade only; explicitly disable Withdrawals). 3) Inspect and back up grid_settings.json and config.json: the bot will rewrite grid_settings.json during rescale. 4) Review cronTemplates/schedule: the package includes scheduled tasks (5-min maintenance, hourly report, daily snapshot) — disable or adjust schedules if you do not want automatic runs. 5) Confirm how the platform supplies environment variables (the package metadata and the registry summary disagree about required env vars). 6) Consider running the code in an isolated environment and monitoring API activity / logs; rotate keys after testing. If you are not comfortable reviewing or running code that can place/cancel real orders automatically, do not install this skill or restrict it to simulation-only accounts.Like a lobster shell, security has layers — review code before you run it.
latestvk97c6j6p1gxq1c33yn501n5km9818qz1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.