ClawHub

Okx Outcomes

Security checks across malware telemetry and agentic risk

Overview

This OKX Outcomes trading skill is mostly coherent, but it should be reviewed because it tells agents/users to install a required binary by piping an unpinned remote script into a shell.

Review the install step before using this skill. Prefer a verified release or official package-manager path for `okx-outcomes` rather than running `curl | sh` blindly. For trading use, keep the dry-run and exact `confirm` flow, never paste private keys into chat, and verify the OKX account, wallet address, market, price, and size before any write action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The workflow instructs the agent/user to execute a remote installation command (`curl ... | sh`) that fetches and runs shell code outside the narrow trading actions the skill is supposed to orchestrate. This creates a supply-chain and arbitrary code execution risk on the host environment, especially because the fetched script can change over time and is not pinned or integrity-verified.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The documentation references the sensitive `PREDICTIONS_AGENT_PRIVATE_KEY` environment variable in a user-facing command guide, but the secrecy warning appears later and is comparatively brief. In an agent skill context, users may copy patterns mechanically, and first mention of a private key without prominent handling guidance increases the chance of exposing the key in shell history, logs, screenshots, or chat.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The onboarding trigger is overly broad: phrases like "set me up" and especially "any authed command fails with not-signed-in" can cause the agent to enter an account-auth and wallet-binding flow without sufficiently specific user intent. In a financial trading context, ambiguous activation is risky because it can steer users into sensitive authentication/setup actions they did not clearly request.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The recovery trigger "User runs any outcomes command" is too ambiguous for reliable and safe invocation because it can activate installation behavior from many unrelated contexts. In combination with the subsequent install instructions, broad matching increases the chance the agent initiates system-level setup steps when the user only intended troubleshooting or information lookup.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow recommends piping a remote script directly into `sh` without warning about host compromise, script mutability, or the need to verify source integrity. Users may treat this as routine because it appears in an agent skill, which normalizes unsafe execution of unreviewed shell code on their machine.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal