OKX交易执行器
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent OKX trading executor, but it can use OKX API keys to place live orders without declared credential requirements or built-in confirmation/limits.
Install only if you intend to let an agent operate an OKX account. Start with okx_demo, use a separate least-privileged OKX API key with withdrawals disabled, keep secrets out of prompts, and require manual review/confirmation before any okx_live order.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or strategy that has the credentials can submit real OKX trades, potentially moving funds if it is invoked incorrectly.
The same CLI exposes live OKX trading and order-placement actions; the artifacts do not show a confirmation flag, maximum order size, symbol allowlist, or other live-trading guard before order submission.
choices=["okx_demo", "okx_live"] ... "place_market_order", "place_limit_order"
Require explicit human approval for each live order, add maximum size/notional limits, make demo mode the safe default, and consider separating live trading into a more tightly permissioned skill.
The skill may place an order larger than the user or calling agent requested.
A market buy below 10 USDT is silently increased to 10 USDT rather than rejected; similar minimum-size coercion exists for tiny sell/limit orders.
if float(body['sz']) < 10:
body['sz'] = "10.00"Reject below-minimum order sizes with a clear error, or require explicit user confirmation before increasing the order amount.
Users may not realize before installation that the skill needs powerful exchange credentials capable of live trading.
This conflicts with the skill’s own documentation and .env template requiring OKX_API_KEY, OKX_API_SECRET, and OKX_PASSPHRASE for an account that can be queried and traded.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare the OKX credential requirements in metadata, document required scopes, and advise users to use least-privileged keys with withdrawals disabled.
Runtime behavior may depend on whatever Python packages are already installed in the environment.
The package still includes runnable Python code that imports external dependencies, so dependency versions and provenance are not pinned in the provided artifacts.
No install spec — this is an instruction-only skill.
Provide a requirements file or install spec with pinned dependency versions and review the installed packages before using live credentials.