OKX Exchange

Security checks across malware telemetry and agentic risk

Overview

This OKX trading skill is not clearly malicious, but it grants real-money trading authority with several controls that are too broad for a financial agent.

Install only if you understand that this skill can access OKX account data and, when configured, place live trades or transfer funds. Keep paper trading enabled first, avoid setting OKX_API_URL unless you control the endpoint, do not enable auto_trade or cron jobs until limits are configured, and use API keys with the minimum OKX permissions needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (31)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: missing.append(pkg) if missing: print(f"Installing: {', '.join(missing)}") subprocess.check_call([sys.executable, "-m", "pip", "install"] + missing, stdout=subprocess.DEVNULL) print("Done.")
Confidence: 84% confidence
Finding: subprocess.check_call([sys.executable, "-m", "pip", "install"] + missing, stdout=subprocess.DEVNULL)

Tainted flow: 'BASE_URL' from os.getenv (line 28, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: if time.time() - _last_sync < 300: return try: r = requests.get(f"{BASE_URL}/api/v5/public/time", timeout=5) server_ms = int(r.json()["data"][0]["ts"]) _time_offset = server_ms / 1000 - time.time() _last_sync = time.time()
Confidence: 94% confidence
Finding: r = requests.get(f"{BASE_URL}/api/v5/public/time", timeout=5)

Tainted flow: 'url' from os.getenv (line 88, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: try: headers = self._headers(method, full_path, data or "") if method == "GET": r = requests.get(url, headers=headers, timeout=10) else: r = requests.post(url, headers=headers, data=data, timeout=10) if not r.ok:
Confidence: 97% confidence
Finding: r = requests.get(url, headers=headers, timeout=10)

Tainted flow: 'url' from os.getenv (line 88, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: if method == "GET": r = requests.get(url, headers=headers, timeout=10) else: r = requests.post(url, headers=headers, data=data, timeout=10) if not r.ok: try: err = r.json()
Confidence: 97% confidence
Finding: r = requests.post(url, headers=headers, data=data, timeout=10)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documentation describes autonomous behavior that can materially change trading risk, including automatically increasing position size, widening stop-loss/take-profit targets, and prioritizing execution based on learned patterns. In a live trading skill, these undocumented or under-scoped self-modifying behaviors can cause users to take on more exposure than expected and may bypass the manifest’s apparent strategy boundaries.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The document explicitly instructs the agent to 'learn from outcomes' and 'continuously refine its own judgment,' which implies autonomous strategy evolution beyond a fixed, user-approved trading policy. In a live trading skill, this can cause behavior drift, unbounded strategy changes, and execution of trades that no longer match the declared strategy or risk model, increasing the chance of unsafe financial actions.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The statement 'Risk is not managed through fixed limits' rejects hard safety constraints and replaces them with discretionary judgment. In a trading agent that can manage accounts and place orders, absence of fixed caps on leverage, loss, exposure, or position size can lead to runaway losses, liquidation, or concentration risk during volatile markets.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The file exposes fund transfer functionality and a live/demo mode switch, but these high-risk capabilities are not reflected in the manifest description. That mismatch can mislead users or upstream agents about the true authority of the skill, increasing the chance of unintended real-money movement or activation of live trading paths.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The snapshot feature persists account balances, positions, and PnL history to local storage, but this data retention behavior is not disclosed in the manifest. Undisclosed persistence of financial account data creates privacy and operational risk, especially on shared hosts or agent environments where users may assume ephemeral processing.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The skill exposes a transfer capability that moves funds between OKX account buckets, but that capability is not disclosed in the manifest description. Hidden funds-movement functionality increases the risk that a user or orchestrator invokes actions beyond the declared scope, which is especially dangerous in a trading skill with live account access.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger list includes broad phrases like 'BTC price', 'check balance', 'place order', and other common trading-language terms that can cause accidental invocation. In a financial skill with execution and transfer capabilities, over-broad triggering materially increases the chance of unintended actions or sensitive account access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly permits bypassing confirmation for trade execution via '--no-confirm' and frames it as suitable for automation without a strong, prominent warning about live-trading consequences. Because the skill also supports switching into live mode, this lowers the barrier to irreversible financial actions from automated or ambiguous requests.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The guide presents trade decisions as recommended actions using confidence thresholds but does not include any explicit warning that these outputs can lead to real financial loss, slippage, liquidation, or erroneous automated execution. In a trading skill, framing an output as 'recommended to execute' can cause users or downstream agents to treat model-generated advice as authoritative, increasing the chance of unsafe real-order placement.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The integration example directly calls execute_trade when the engine returns a buy decision over a confidence threshold, with no user confirmation, no dry-run default, and no guardrails around live trading. In the context of an OKX exchange agent that supports order execution and automated strategy execution, this creates a realistic path to unintended or overtrusted autonomous trading with direct financial consequences.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document states that raw trade data is deleted after compression without any explicit warning about irreversibility or possible loss of audit fidelity. In a financial trading context, silent destruction of detailed historical records can impair dispute resolution, compliance review, strategy debugging, and user recovery from mistakes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The policy specifies deletion of data older than 90 days but does not warn users that the removal is permanent. For a trading agent, historical records may be important for tax, audit, incident investigation, and performance validation, so undocumented deletion materially increases operational and financial risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The cleanup and compression commands are presented as routine operations without warning that they may permanently remove or condense stored trading data. In this skill context, users may run these commands expecting harmless maintenance and unintentionally destroy records needed for auditing, troubleshooting, or learning-system validation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guidance describes autonomous trade selection, adaptive sizing, and ongoing decision-making without clear warnings about financial loss, volatility, liquidation, or the need for user oversight. In the context of an OKX trading skill with direct execution capability, omission of such warnings can normalize unsafe autonomous use and mislead users about the risk of material financial harm.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The cron job message explicitly sources ~/.openclaw/workspace/.env, which likely contains API keys or other secrets, and then instructs the agent to send command output verbatim. Even if the commands do not intentionally print secrets, this creates an unnecessary credential-exposure path and normalizes unattended access to sensitive material without warning or minimization.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The fund transfer function performs an asset-moving operation with no user confirmation, warning, policy check, or secondary authorization. In a trading agent context, transfer operations are sensitive because they can move funds between account buckets and may facilitate unintended exposure, loss of trading controls, or preparation for further unauthorized actions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This monitor function can automatically submit live market orders to close positions based only on configured thresholds, with no interactive confirmation, dry-run barrier, or secondary authorization at execution time. In a trading skill, that creates real asset-movement risk from misconfiguration, faulty data, strategy error, or unintended invocation, especially because market orders can execute immediately at unfavorable prices during volatility.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The opportunity scanner can transition directly from analysis to live order placement, and it explicitly disables confirmation via no_confirm=True. Because this code runs in an automated monitoring context, a bad signal, manipulated input, stale state, or accidental cron invocation could trigger unintended market trades with attached TP/SL parameters and immediate financial consequences.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This code saves live account snapshot data containing equity, available balance, PnL, and open positions without any user-facing warning at the point of collection. In a trading skill, these records are sensitive financial telemetry and could be exposed through local compromise, backups, logs, or multi-tenant environments.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script persistently stores trading decisions, including coin, signal, price, RSI, reasons, and timestamps, under the user's home directory without any notice, consent, retention controls, or access restrictions. In a trading skill, these logs can reveal sensitive portfolio behavior and strategy metadata, making privacy and operational-security exposure more significant than in a non-financial context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script persistently stores detailed trading history, lessons, and inferred patterns under the user's home directory without any notice, consent flow, retention disclosure, or protection controls. In a trading skill, these records can reveal portfolio behavior, strategy preferences, and performance data, making unintended disclosure or silent long-term retention a meaningful privacy and operational risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal