ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MEXC OpenAPI Skill

Operate MEXC Spot REST APIs through UXC with a curated OpenAPI schema, HMAC query signing, and separate public/signed workflow guardrails.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 38 · 1 current installs · 1 all-time installs
by@jolestar
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and OpenAPI schema clearly describe MEXC Spot public and signed flows (consistent with the name). However the skill metadata declares no required environment variables or binaries while the instructions explicitly require MEXC_API_KEY and MEXC_SECRET_KEY (via uxc auth) and the validate script requires jq and rg — this mismatch is incoherent and should be corrected.
!
Instruction Scope
Instructions stay within the stated purpose (link to API, curate OpenAPI schema, set up HMAC signer, prefer reads before writes, require confirmation for writes). But they instruct creating credentials from env:MEXC_API_KEY and env:MEXC_SECRET_KEY and adding a signer binding — yet those env vars are not declared in metadata. The skill also relies on an external 'uxc' skill and on network access to api.mexc.com and a raw.githubusercontent.com schema URL (expected but worth verifying trust).
Install Mechanism
This is instruction-only (no install spec), which is lowest install risk. Referenced schema is hosted on raw.githubusercontent.com (a normal release host). The included validate.sh is benign but requires jq and rg on PATH.
!
Credentials
The behavior legitimately requires two sensitive fields (API key and secret) for signed Spot operations, which is proportionate to the purpose — but those credentials are not listed in requires.env/primaryEnv. Also the validate script requires jq and rg which are not declared. The missing declarations reduce transparency about what secrets/tools the skill will use.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill does not request forced permanent inclusion or to modify other skills. Autonomous invocation combined with signed-write capability raises operational risk (it can place/cancel orders) but that risk follows from the feature, not from extra privileges requested by the skill.
What to consider before installing
This skill appears to do what it says (wrap MEXC Spot REST via a curated OpenAPI schema and HMAC signing) but there are important inconsistencies you should resolve before use: 1) Confirm the installer/registry metadata lists the required environment variables (MEXC_API_KEY and MEXC_SECRET_KEY) so you know the skill will access secrets. 2) Verify 'uxc' (the execution/auth utility) is trusted in your environment — the skill delegates auth and signing to uxc. 3) Be aware the validate script requires jq and ripgrep (rg); ensure those tools are available. 4) Because the skill can perform signed writes (create/cancel orders), require explicit confirmations and limit the API key’s permissions and funds on the exchange (use a restricted API key where possible). 5) Inspect or pin the OpenAPI schema source (raw.githubusercontent.com URL) and consider hosting your own trusted copy if you need higher assurance. If the registry metadata cannot be corrected or you do not trust uxc or the schema source, treat this skill as higher risk and avoid giving it live API keys.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97cez9nrdc81akr7738mzqa7x831kh7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

MEXC Spot API Skill

Use this skill to run MEXC Spot REST operations through uxc + OpenAPI.

Reuse the uxc skill for shared execution, auth, and error-handling guidance.

Prerequisites

  • uxc is installed and available in PATH.
  • Network access to https://api.mexc.com.
  • Access to the curated OpenAPI schema URL:
    • https://raw.githubusercontent.com/holon-run/uxc/main/skills/mexc-openapi-skill/references/mexc-spot.openapi.json

Scope

This skill covers a curated MEXC Spot REST surface for:

  • public market reads
  • signed account reads
  • signed order create, cancel, and lookup flows

This skill does not cover:

  • futures APIs
  • broader platform product families

Authentication

Public market endpoints do not require credentials.

Signed Spot endpoints require:

  • api_key field for X-MEXC-APIKEY
  • secret_key field for HMAC SHA256 query signing

Create one credential:

uxc auth credential set mexc-spot \
  --auth-type api_key \
  --field api_key=env:MEXC_API_KEY \
  --field secret_key=env:MEXC_SECRET_KEY

Add one signer binding:

uxc auth binding add \
  --id mexc-spot \
  --host api.mexc.com \
  --path-prefix /api/v3 \
  --scheme https \
  --credential mexc-spot \
  --signer-json '{"kind":"hmac_query_v1","algorithm":"hmac_sha256","signing_field":"secret_key","key_field":"api_key","key_placement":"header","key_name":"X-MEXC-APIKEY","signature_param":"signature","signature_encoding":"hex","timestamp_param":"timestamp","timestamp_unit":"milliseconds","canonicalization":{"mode":"preserve_order"}}' \
  --priority 100

Validate the active mapping when auth looks wrong:

uxc auth binding match https://api.mexc.com/api/v3/account

Core Workflow

  1. Use the fixed link command by default:

    • command -v mexc-openapi-cli
    • If missing, create it: uxc link mexc-openapi-cli https://api.mexc.com --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/mexc-openapi-skill/references/mexc-spot.openapi.json
    • mexc-openapi-cli -h

  2. Inspect operation help before execution:

    • mexc-openapi-cli get:/api/v3/ticker/price -h
    • mexc-openapi-cli get:/api/v3/account -h
    • mexc-openapi-cli post:/api/v3/order -h

  3. Prefer public reads first:

    • mexc-openapi-cli get:/api/v3/ticker/price symbol=BTCUSDT
    • mexc-openapi-cli get:/api/v3/depth symbol=BTCUSDT limit=20

  4. Use signed reads before writes:

    • mexc-openapi-cli get:/api/v3/account recvWindow=5000
    • mexc-openapi-cli get:/api/v3/openOrders symbol=BTCUSDT recvWindow=5000

Operation Groups

Public Market

  • get:/api/v3/ping
  • get:/api/v3/exchangeInfo
  • get:/api/v3/ticker/price
  • get:/api/v3/ticker/24hr
  • get:/api/v3/depth

Signed Reads

  • get:/api/v3/account
  • get:/api/v3/openOrders
  • get:/api/v3/order

Signed Writes

  • post:/api/v3/order
  • delete:/api/v3/order

Guardrails

  • Keep automation on the JSON output envelope; do not use --text.
  • Parse stable fields first: ok, kind, protocol, data, error.
  • Treat signed write operations as high-risk and require explicit confirmation before execution.
  • timestamp and signature are injected by the signer binding; users normally provide business parameters plus optional recvWindow.
  • Query exchangeInfo before placing orders so symbol filters and lot sizes are known.
  • mexc-openapi-cli <operation> ... is equivalent to uxc https://api.mexc.com --schema-url <mexc_spot_openapi_schema> <operation> ....

References

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…