OKX Exchange
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real OKX trading skill, but it can use live exchange credentials, execute financial actions, and create persistent trading monitors that are not fully reflected in the registry metadata.
Install only if you intend to let an agent interact with your OKX account. Start with `OKX_SIMULATED=1`, use restricted trade-only API keys, keep confirmations on, avoid `--no-confirm` and cron automation until you fully understand the behavior, and review any live-mode, leverage, transfer, or auto-close settings carefully.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If live or over-permissioned API keys are used, the agent may be able to trade or change account state on the user's OKX account.
The skill asks for OKX exchange API credentials, including live-trading credentials, while the registry metadata says required env vars and primary credential are none. These keys can grant account and trading authority.
OKX_API_KEY=your_key OKX_SECRET_KEY=your_secret OKX_PASSPHRASE=your_passphrase ... OKX_API_KEY_LIVE / OKX_SECRET_KEY_LIVE / OKX_PASSPHRASE_LIVE
Use paper trading first, create a dedicated OKX API key with the minimum required permissions, disable withdrawals, use IP restrictions if available, and declare the required credentials in metadata before broad distribution.
A mistaken or overly autonomous agent action could place trades without a final manual confirmation.
The skill explicitly documents bypassing the order confirmation prompt for automated trading. That is purpose-aligned, but it is high-impact financial mutation and needs strong user gating.
Skip confirmation prompt (for automation): ```bash python3 okx.py buy BTC-USDT market 0.01 --no-confirm ```
Keep confirmation enabled by default, avoid `--no-confirm` unless intentionally automating with strict limits, and require explicit user approval before live orders, leverage changes, fund transfers, or bulk cancellations.
After setup, trading-related checks may continue running in the background across sessions and could affect live positions depending on configuration.
The setup script can create persistent scheduled jobs that load exchange credentials and run monitoring commands repeatedly.
openclaw cron add \
--every "${SLTP_INTERVAL}" \
--name "okx-sl-tp" ...
source ~/.openclaw/workspace/.env
cd ${SCRIPTS_DIR}
python3 okx.py snapshot
python3 okx.py monitor sl-tpEnable cron only intentionally, start in demo mode, review `openclaw cron list`, and use the documented teardown command when automation is no longer wanted.
Local memory files may contain sensitive trading history and can influence future strategy decisions.
The skill intentionally persists trading preferences, account/trade history, and learning state for later decisions.
`memory/okx-trading-preferences.json` | Risk parameters, strategy config, trading mode `memory/okx-trade-journal.json` | Learning system trade log `memory/okx-learning-model.json` | Learning model
Treat the memory files as sensitive, review them periodically, and clear or reset learning data if it becomes inaccurate or if other agents can modify the workspace.
Users have less metadata-backed assurance about where the skill came from and exactly what setup steps are expected.
The registry metadata gives limited provenance and no install contract, even though the README includes a pip-based setup path.
Source: unknown Homepage: none ... Install specifications No install spec — this is an instruction-only skill.
Review the included source before use, publish a clear homepage/source link, add an install spec, and pin dependencies where practical.