v1.3.2

okx-cex-trade

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:48 AM.

Analysis

This OKX trading skill is coherent and not obviously malicious, but it can use exchange credentials to place real crypto, derivatives, options, and event-contract trades, so it deserves careful review before installation.

GuidanceInstall this only if you intend to let an agent help trade on OKX. Start in demo mode, verify the OKX CLI package, use a dedicated trading-only API key or OAuth profile with no withdrawal permission, and require explicit confirmation before any live order, leverage change, cancellation, or position close.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Place, cancel, amend, and monitor orders; ... trade binary outcome event contracts ... set take-profit/stop-loss and trailing stops; manage leverage and positions. Requires API credentials.

The skill explicitly grants the agent real exchange-trading authority, including leveraged and derivative-style actions that can materially change the user's financial positions.

User impactA wrong command, misunderstood instruction, or insufficient confirmation could place or alter live trades and cause financial loss.

RecommendationUse demo mode first, require explicit confirmation of mode/instrument/side/size/price for every live trade, and avoid enabling unattended live trading.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusNote

SKILL.md

package: "@okx_ai/okx-trade-cli@1.3.2" ... npm install -g @okx_ai/okx-trade-cli

The skill is otherwise instruction-only but asks the user to install a global npm CLI that will handle trading commands and credentials; this is disclosed and purpose-aligned, but the package code is not part of the provided artifacts and the setup command shown is not version-pinned.

User impactYou are relying on an external CLI package for sensitive trading operations.

RecommendationVerify the npm package publisher/source, prefer installing the pinned version matching the skill metadata, and keep the CLI installed only from trusted sources.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

okx config show --json      # reveals API-key profiles (TOML config)
okx auth status --json      # reveals OAuth session state

The skill directs the agent to inspect and use local OKX API-key profiles or OAuth session state before authenticated trading commands.

User impactThe agent can operate with the user's delegated OKX account authority, so any available trading permissions may be used by commands generated through this skill.

RecommendationUse a dedicated least-privilege OKX profile or API key, disable withdrawals, separate demo and live profiles, and review all generated commands before execution.