Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
okx-cex-earn
v1.2.8Manages OKX Simple Earn (flexible savings/lending), On-chain Earn (staking/DeFi), Dual Investment (DCD/双币赢), and AutoEarn (自动赚币) via the okx CLI. Use this sk...
⭐ 0· 101·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (manage OKX Earn products) align with the runtime instructions (calls to the okx CLI for balances, subscribe/redeem, DCD, on-chain, AutoEarn). However, the package metadata summarized earlier shows no required binaries/install spec while the SKILL.md frontmatter and body require the okx CLI and recommend npm install of @okx_ai/okx-trade-cli — this mismatch is inconsistent and should be clarified.
Instruction Scope
The SKILL.md explicitly directs the agent to run many authenticated CLI commands (write operations that move funds: earn savings purchase/redeem, dcd quote-and-buy, onchain purchase/redeem, auto-earn on/off, transfers). It also instructs the agent to read/verify the user's CLI config (mentions ~/.okx/config.toml and `okx config show`) and to guide edits of that file. Accessing that config (which contains API keys/passphrases) is necessary to the stated purpose, but the instructions do require handling sensitive local credentials and performing real-money operations — a higher-risk scope that must be acknowledged.
Install Mechanism
There is no separate install spec in the registry summary, but SKILL.md includes an install recommendation and frontmatter install entry for npm package @okx_ai/okx-trade-cli and requires the okx binary. Installing via npm is a standard mechanism (traceable on npm) — lower risk than ad-hoc downloads — but the metadata inconsistency (registry says 'no install spec' while SKILL.md declares one) is confusing and should be fixed.
Credentials
The skill needs API credentials to operate (okx CLI profile with AK/SK/PP stored in the local config), which is proportionate to managing exchange funds. But the registry metadata lists no required env vars or config paths while SKILL.md explicitly references ~/.okx/config.toml and `okx config` profiles. That omission in metadata is an incoherence; the skill should declare the config path and credential requirements upfront. Also note the skill will perform WRITE operations — users should supply keys with appropriate, limited permissions.
Persistence & Privilege
The skill is not marked always:true and does not request to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default), and the skill's writes require explicit confirmation in many flows; nevertheless, because it can execute real fund-moving commands, users should be careful about allowing autonomous runs and ensure the agent prompts for confirmation before any WRITE.
What to consider before installing
This skill appears to do what it says (control OKX Earn via the okx CLI) but there are a few things to check before installing: 1) Metadata mismatch: SKILL.md requires the okx CLI and suggests npm install @okx_ai/okx-trade-cli, yet the registry summary lists no install or required binaries — ask the publisher to correct the metadata. 2) Credential exposure: the skill expects API keys stored in your local okx CLI profile (e.g. ~/.okx/config.toml). Only use API credentials you control; prefer keys with minimal permissions (for example, omit Withdraw permission if you don't want on-chain transfers). 3) Test safely: initially test read-only flows and/or use a dedicated test API profile with minimal balances. 4) Review npm package: verify @okx_ai/okx-trade-cli is the official CLI on npm/GitHub before installing. 5) Autonomy: because the skill can execute WRITE commands, ensure the agent is configured to require explicit user confirmation for fund-moving operations or avoid enabling autonomous invocation. If the publisher can clarify the install/requirement metadata and confirm the npm package origin, the inconsistencies here would be resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk973k8ndn93j3ba22a01q5z5m9845kqw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.