Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
okxprediction
v1.0.0Predicts short-term BTC market direction using multi-timeframe analysis, funding rates, and sentiment to signal trade execution, watch, or no trade.
⭐ 0· 91·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is presented as an OKX-focused BTC short-term prediction system (meta and description say '适用于OKX合约'), but the package declares no required environment variables, no API keys, and contains no instructions for connecting to OKX or any market data provider. If the skill is intended to generate signals only (not execute trades), the OKX claim is misleading; if it intends to execute trades, it lacks any credential handling or API-call instructions.
Instruction Scope
SKILL.md contains a detailed multi-timeframe scoring methodology and a fixed JSON output schema — it does not instruct the agent to read local files, access system config, or call external endpoints. However it also does not specify how to obtain the required inputs (K-line data, funding rate, long/short ratio, liquidation zones). That gap means an agent may attempt to fetch data from arbitrary sources or combine this skill with other connectors to obtain data/credentials.
Install Mechanism
Instruction-only skill with no install spec and no included code files. This minimizes on-disk execution risk; there are no downloaded binaries or external installers to review.
Credentials
No environment variables or credentials are declared, yet the meta description explicitly targets OKX contracts. For a skill expected to integrate with an exchange, the absence of declared API keys (OKX_API_KEY, secrets, etc.) is disproportionate and ambiguous. This could either indicate the skill is strictly signalling-only (then the OKX label is misleading) or that it expects the agent to obtain credentials elsewhere (which is risky).
Persistence & Privilege
always is false (normal) and no system-wide config changes are requested. Autonomous invocation is allowed by default — while not problematic on its own, combined with the credential/data sourcing ambiguity it raises the possibility that the agent could autonomously call other connectors or skills to trade using stored credentials. There's no explicit instruction to do so in SKILL.md.
What to consider before installing
What to consider before installing:
- The skill's logic and scoring are self-contained and sensible as a signalling methodology, but it does not say where to get the market inputs (candles, funding rate, long/short ratio) or how it would connect to OKX. Decide whether you expect this to be a pure signal generator (manual use) or an automated trader — the skill as packaged does not include any credential handling or exchange API calls.
- Do not supply API keys or exchange credentials to this skill unless you fully trust the author and have reviewed explicit code that uses those keys. If you plan to enable automated trading, require the skill to declare which environment variables it will use (e.g., OKX_API_KEY/SECRET) and document exact API endpoints/calls.
- Because the source is 'unknown' and there is no homepage or code to audit, prefer using this only for manual, offline signal generation or after thorough review. Test outputs first against historical/paper data before committing real funds and ensure mandatory risk controls (stop-loss, position sizing) are enforced externally.
- Recommended improvements for the author: state data sources and authentication requirements in SKILL.md, optionally add a safe 'dry-run' mode, and provide examples showing how to feed data into the skill (or explicitly declare it expects the agent to provide market data).Like a lobster shell, security has layers — review code before you run it.
latestvk9715hjr80nkx82vw2eptpd5yh8366y6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.