okx-cex-portfolio

v1.2.8

This skill should be used when the user asks about 'account balance', 'how much USDT do I have', 'my funding account', 'show my positions', 'open positions',...

⭐ 0· 368·4 current·4 all-time

by@numpy0001

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The name/description (account balances, positions, transfers) match the instructions and required artifacts: it expects an 'okx' CLI and OKX API credentials. Nothing in the SKILL.md requests unrelated services or credentials.

✓

Instruction Scope

Runtime instructions are limited to running the okx CLI, checking/configuring ~/.okx/config.toml, and requiring explicit profile confirmation for write actions. The skill explicitly warns not to paste credentials into chat. It does not instruct the agent to read unrelated files or exfiltrate data to third-party endpoints.

ℹ

Install Mechanism

Frontmatter and README recommend installing @okx_ai/okx-trade-cli via npm (npm install -g). This is a standard public-registry install (moderate risk). There is an incoherence: registry metadata said 'no install spec' but SKILL.md contains an install declaration—verify which source the platform will use and prefer reviewing the npm package before installing.

✓

Credentials

The skill requires OKX API credentials (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE) and references ~/.okx/config.toml. Those credentials are appropriate and necessary for the described account/transfer operations; no unrelated secrets or extra env vars are requested.

✓

Persistence & Privilege

Skill is not always-enabled and uses default autonomous invocation. It does not request persistent system-wide modifications or access to other skills' configs.

Assessment

This skill appears to do what it says: it runs the OKX CLI and needs your OKX API keys and config file (~/.okx/config.toml). Before installing or enabling it: (1) Verify the npm package @okx_ai/okx-trade-cli—check the publisher, README, and source code (if available) because npm packages are a moderate-risk install; (2) Create API keys with the minimum required permissions (avoid enabling withdrawals unless necessary); (3) Test in demo mode first and confirm the skill requires explicit profile confirmation before any write operation; (4) Note the metadata/instruction inconsistency (registry says no install spec but SKILL.md includes one)—ask the provider or registry maintainer which install mechanism is authoritative; (5) Never paste your secret keys into chat; edit ~/.okx/config.toml locally if needed. If you cannot inspect the npm package or verify the publisher, treat this as higher-risk and avoid providing live API keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk9774x6ryde8461cc9aytwgqwn844qwf

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

okx-cex-portfolio

License

Comments