ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Okx Pro

v1.1.0

完整 OKX 交易所集成,U本位/币本位合约,杠杆交易,止盈止损,仓位管理

2· 205·0 current·0 all-time
byLostOmato@icenoodle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (OKX trading) matches the instructions: it uses OKX V5 endpoints and provides order/position examples. The declared required binaries (curl, jq, openssl) are appropriate for the described functionality.
!
Instruction Scope
The runtime instructions explicitly require API credentials (either ~/.openclaw/credentials/okx.json or env vars OKX_API_KEY/OKX_SECRET/OKX_PASSPHRASE) and provide shell helpers that sign and send requests. The registry metadata, however, lists no required env vars/credentials — an inconsistency. Instructions otherwise stay within the stated trading scope and do not request unrelated system data.
Install Mechanism
Instruction-only skill with no install spec or downloads; no code files to write to disk. This is the lowest-risk install mechanism.
!
Credentials
The skill legitimately needs API credentials for OKX, but the skill metadata does not declare any required env vars or primary credential. Requesting three sensitive values (api key, secret, passphrase) is proportionate to the purpose, but the missing declaration in metadata and persistent credential file path means secrets could be present and accessed without the user noticing.
!
Persistence & Privilege
always: true is set in the registry metadata. That forces the skill to be present/loaded for all agents and increases blast radius if credentials are provided. There is no justification in the SKILL.md for requiring always-on behavior.
What to consider before installing
This skill's instructions are consistent with an OKX trading integration, but the package metadata fails to declare the required API credentials and it is marked always:true. Before installing: (1) do not provide your real exchange API keys until you confirm the skill source and code — prefer testnet or read-only keys first; (2) ask the publisher why credentials are not declared in metadata and why always:true is required; (3) if you proceed, limit key permissions (no withdraw), rotate keys after testing, and store secrets in a secure place; (4) prefer a skill with a verifiable homepage, source repo, or published owner; (5) if you need higher assurance, request the actual code files or a reviewed package rather than an opaque instruction-only skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ssbvgrx29zk8h58q4g1b0n834345

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🟧 Clawdis
Binscurl, jq, openssl

Comments