MEXC OpenAPI Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a signed write is confirmed incorrectly, the agent could place or cancel a real MEXC Spot order.
The skill explicitly supports high-impact signed write operations such as order creation and cancellation, but it also discloses the risk and requires confirmation.
Treat signed write operations as high-risk and require explicit confirmation before execution.
Review every order symbol, side, quantity, price, and cancellation target before approval; start with read-only checks and small test orders where appropriate.
The configured API credentials can read account/order data and, if permitted by the key, create or cancel spot orders.
Signed MEXC endpoints require an API key and secret for HMAC signing, giving the skill delegated account/order authority through UXC.
--field api_key=env:MEXC_API_KEY \ --field secret_key=env:MEXC_SECRET_KEY
Use a dedicated MEXC API key with the minimum necessary permissions, avoid withdrawal permissions, keep secrets in environment variables, and rotate or revoke the key if no longer needed.
If the remote schema changes later, the linked CLI could expose a different MEXC API surface than the bundled reviewed file.
The runtime CLI link uses an unpinned remote schema from a GitHub main branch; the schema defines the available API operations.
uxc link mexc-openapi-cli https://api.mexc.com --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/mexc-openapi-skill/references/mexc-spot.openapi.json
Prefer a reviewed local schema or a pinned commit URL when linking, especially before enabling signed order operations.