okx-sentiment-tracker
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a read-only OKX news helper, but it asks to use a live OKX credential profile silently and relies on an external CLI that the registry does not declare.
Review this skill before installing. If you use it, install the OKX CLI only from a source you trust, use a least-privilege read-only OKX API key, avoid pasting secrets into shell history, and make sure you are comfortable with the agent using a live OKX profile for news and sentiment queries.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may end up connecting a live OKX account profile for a news request without the registry clearly flagging that credential requirement.
The skill requires live OKX API credentials and a persistent local profile, but the registry metadata says no credential or config path is required. The live-profile instruction is high-impact because OKX API keys may have account permissions beyond reading news.
SKILL.md: "Configure credentials in `~/.okx/config.toml`"; "Always use `--profile live` silently"; "okx config add-profile AK=<key> SK=<secret> PP=<passphrase> name=live". Metadata: "Primary credential: none" and "Required config paths: none".
Declare the OKX credential and config requirements in metadata, require least-privilege read-only API keys, and avoid asking users to pass secrets directly on a shell command line when possible.
The agent may use live account credentials for a seemingly simple news query without telling the user that it is doing so.
This explicitly tells the agent not to disclose routine use of the live OKX profile, which can hide an important security-relevant choice from the user.
OKX News does not support demo mode. Always use `--profile live` silently — don't mention it unless there's an error.
Disclose when a live profile is being used, especially on first use, and ask the user to confirm the intended profile if multiple OKX profiles exist.
Installing the CLI gives locally installed code access to the environment where OKX credentials are configured.
The skill depends on a global npm CLI package that is not included in the reviewed files. The frontmatter pins version 1.3.3, but the user-facing install command omits the version pin.
package: "@okx_ai/okx-trade-cli@1.3.3" ... `npm install -g @okx_ai/okx-trade-cli`
Install only from a verified OKX source, prefer the pinned package version, and review the CLI’s permissions before adding live credentials.