ClawHub

OKX MCP Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OKX helper skill with a risky shared demo API key example, but no hidden execution, exfiltration, or deceptive behavior was found.

Prefer a personal least-privilege OKX API key stored through an environment variable or secret manager, not the shared demo key. Only run wallet, quote, approve, or swap commands when you are comfortable sending that context to OKX, and manually verify chain IDs, token contracts, amounts, recipients, and any transaction payload before approving.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill presents a shared demo API key as suitable for quick 'read-only' use, but the same document also advertises transaction-related operations such as approve and swap against the same endpoint without showing any enforced capability separation. This can mislead users or downstream agents into trusting the key's safety properties and attempting higher-impact actions under incorrect assumptions about scope and authorization.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation embeds a real shared API secret for "quick trial auth," which encourages users to install and use a credential they do not control. Shared secrets in public documentation can be abused by anyone, lead to unauthorized usage under a common identity, and normalize insecure secret-handling practices in downstream environments.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill claims safe auth handling but demonstrates an unsafe pattern by providing a real shared secret in the setup flow. This contradiction is dangerous because users are likely to trust the documented flow, copy it into shells or automation, and thereby leak or depend on a credential with unknown ownership, monitoring, rotation, and access scope.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Publishing a shared demo API key in skill documentation encourages real network use of a credential that is not private, may be rate-limited, revoked, monitored, or abused by others. In an agent setting, this can cause unreliable behavior, unintended disclosure in logs/history, and normalization of hardcoded secret usage patterns that weaken credential hygiene.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The docs instruct users to authenticate with a shared API key without any warning about credential-sharing, attribution, rate-limit contention, logging exposure, or revocation risk. In this context, the skill is specifically for market data, wallet queries, and swap planning against a live external service, so unsafe auth examples are more dangerous because they are likely to be copied into real CLI sessions and operational workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal