Quant Trade
WarnAudited by ClawScan on May 18, 2026.
Overview
This OKX trading skill is coherent, but it can use trading API credentials to place real-money orders while credential/install declarations and live-trade safeguards are incomplete.
Review carefully before installing. Use demo mode first, create restricted OKX API keys with withdrawals disabled, verify the OKX CLI package, and require the agent to get explicit confirmation before every live order, leverage change, position close, or stop-loss/take-profit action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or ambiguous agent action could place, close, or leverage a real OKX position and cause financial loss.
The skill authorizes the agent to execute OKX trading commands that affect real funds, and at least one order workflow example omits the required --profile. That weakens containment for live-vs-demo execution.
`用户意图明确(如 'real' / '实盘' / 'live' → live)→ 直接使用并告知`; `okx --profile live spot place ... # 实盘 — 真实资金`; `okx swap place --instId BTC-USDT-SWAP --side buy --ordType market --sz 1000 ...`
Require an explicit final confirmation for every live trade, always include --profile on every authenticated command, read back side/size/instrument/profile before execution, and consider hard limits for order size and leverage.
Installing or using the skill may grant an agent trading authority over an OKX account that users might not expect from the registry metadata.
The skill needs local OKX trading credentials and profile configuration, but the supplied registry metadata lists no primary credential, env vars, or required config paths. This under-declares a high-privilege account boundary.
`交易操作需要 API 凭证`; `export OKX_API_KEY=your_key`; `export OKX_SECRET_KEY=your_secret`; `export OKX_PASSPHRASE=your_passphrase`; `~/.okx/config.toml`
Declare the OKX credential and config requirements, use least-privilege API keys with withdrawals disabled, keep demo and live keys separate, and never paste secrets into chat.
A compromised or unexpected dependency could affect the local environment or trading workflow.
The skill relies on user-installed, unpinned external packages and a global trading CLI. This is aligned with the trading purpose, but the artifacts do not pin versions or provide a registry install spec.
`pip install pandas requests apscheduler`; `npm install -g @okx_ai/okx-trade-cli`
Install only from trusted sources, verify the OKX CLI package provenance, pin versions where possible, and avoid granting unnecessary account permissions.
The process may continue polling and logging until the user stops it.
The scheduler can keep a background process alive and run periodic market-data jobs. It is visible and user-started, and the included code only fetches public market data, but it is still long-running behavior.
`scheduler.start()` ... `while True: time.sleep(60)`; `调度服务已就绪。按 Ctrl+C 退出。`
Run the scheduler only when needed, monitor its logs, and stop it with Ctrl+C or by terminating the process when finished.