Skillv1.3.2

ClawScan security

okx-cex-skill-mp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 4:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly behaves like an OKX marketplace helper (search, download, install skills) but the package metadata and runtime instructions are inconsistent and it instructs the agent to download and install third‑party code into multiple agents — a capability that deserves caution.
Guidance: This skill appears to be a marketplace manager and its behavior (installing skills from the OKX marketplace) matches that description — but there are inconsistencies in the package metadata and the runtime instructions perform high‑impact actions. Before installing or using it: 1) Verify the OKX CLI package (@okx_ai/okx-trade-cli) is official and from a trusted source (check npm publisher, package integrity, vendor docs). 2) Be cautious about running global npm installs and 'npx' commands — consider testing in an isolated environment. 3) Understand that 'okx skill add' will download and install third‑party skills into your agents' skill directories (and may run install-time scripts); only install skills from authors you trust and inspect the downloaded SKILL.md/_meta.json before enabling them. 4) Resolve the manifest inconsistency: the registry shows no required binaries/env while SKILL.md requires the 'okx' CLI and API credentials — ask the publisher to correct metadata. If you want to limit blast radius, prefer using 'okx skill download' and manually review/unpack the zip rather than automatic 'add' that installs into all agents.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes a marketplace manager (search, download, install, remove skills) and its required artifacts (okx CLI and marketplace API credentials) are coherent with that purpose. However, the registry metadata presented to the evaluator claims no required binaries/env vars while the SKILL.md explicitly requires the 'okx' CLI and API credentials. This mismatch is an inconsistency that should be resolved before trust.
Instruction Scope: concernThe instructions tell the agent to run the OKX CLI to download skill packages, extract them, run 'npx skills add', and install to all detected agents. That behavior is within the marketplace role but it also grants the skill the ability to fetch and install arbitrary third‑party skills (which will run with the agent's full permissions). The SKILL.md also suggests global npm installs and running 'okx config init' to store API credentials. These steps collect/configure credentials and install/execute downloaded code — scope is broad and requires explicit user trust and review.
Install Mechanism: noteInstallation is instruction-only (no code files in skill bundle), but the SKILL.md recommends installing a scoped npm package (@okx_ai/okx-trade-cli). Using npm is a common delivery method for a CLI, but it can execute arbitrary code and is a moderate-risk install mechanism. There is also an internal inconsistency: the top-level manifest claimed 'No install spec', but the SKILL.md contains an install block describing the npm package. That discrepancy is worth clarifying.
Credentials: noteThe SKILL.md says marketplace access requires API credentials and asks the user to run 'okx config init' to configure them. Requesting marketplace API credentials is expected for this functionality. There are no unrelated credentials requested. The manifest metadata, however, did not declare these env requirements — another inconsistency.
Persistence & Privilege: concernThe skill does not set always:true (good), but it instructs installation of downloaded skills into all detected agents and uses 'npx skills add' to propagate installs across agent environments. That means a user invoking this can cause code to be added to other agent runtimes and to agent skill directories (e.g., ~/.agents/skills/). Modifying other agents' skill sets is a significant side effect and raises privilege/persistence concerns unless the user knowingly authorizes it.