Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
okx-cex-skill-mp
v1.3.0Use this skill when the user asks to: 'find a trading skill', 'search for skills', 'install a skill', 'add a skill', 'download a skill', 'browse skill market...
⭐ 0· 88·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a marketplace manager (search, download, install skills) which reasonably needs the OKX CLI and marketplace API access. However the registry-level metadata (requirements section) incorrectly lists no required binaries or env vars, creating an inconsistency between what the skill says it needs and what the registry declares.
Instruction Scope
Runtime instructions direct the agent to install an OKX CLI (npm global package), run `okx skill add`/`okx skill download`, run `npx skills add` to propagate installs to detected agents, and write to local paths (e.g., ~/.okx/skills/registry.json and agent skill directories). These steps are expected for a marketplace manager but they grant the skill the ability to download and install arbitrary third‑party skill packages and to run code via npx — a high‑impact operation that should be restricted and inspected.
Install Mechanism
There is no install spec in the registry manifest, but SKILL.md includes an npm install suggestion for @okx_ai/okx-trade-cli and describes downloading zip packages from the marketplace. npm global installs and npx-based installs are moderately risky because they execute third‑party code; downloading and extracting zips from an external marketplace also writes arbitrary content to disk. The registry/manifest mismatch increases uncertainty about what will actually be installed.
Credentials
SKILL.md explicitly says marketplace API credentials are required and instructs `okx config init`, but the skill's declared requirements list zero env vars and no primary credential. The instructions also reference user config files and agent skill directories. Requesting API keys would be proportionate, but the missing declarations are an incoherence that should be clarified before trusting the skill.
Persistence & Privilege
always:false and user‑invocable are appropriate. The skill instructs installing (and recording) skills system‑wide to all detected agents and writing to ~/.okx/skills/registry.json, which is consistent with its purpose but gives it broad local privilege. This behavior is expected for a marketplace installer but warrants caution because it affects multiple agent environments.
What to consider before installing
This skill acts as a marketplace installer — it downloads and installs third‑party skills (zip packages, runs npx, and may install an npm CLI). Before installing: 1) Confirm the OKX CLI package name (@okx_ai/okx-trade-cli) and its source (npm org and OKX website) are legitimate; 2) Be prepared to provide marketplace API keys — only use keys you trust and consider creating scoped/limited keys; 3) Prefer downloading skill packages and inspecting their SKILL.md and contents before running `npx` or `okx skill add`; 4) Avoid blanket installs to "all detected agents" — install to a single sandboxed agent first; 5) Keep backups and rotate credentials if you suspect misuse. Also ask the publisher/registry to fix the manifest so required binaries/env vars are declared consistently.Like a lobster shell, security has layers — review code before you run it.
latestvk9712ksanbfv0zbcc1czetnkmd84f6st
License
MIT-0
Free to use, modify, and redistribute. No attribution required.