okx-sentiment-tracker
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: okx-sentiment-tracker Version: 1.3.3 The okx-sentiment-tracker skill provides a comprehensive set of instructions and workflows for an AI agent to perform crypto news aggregation and sentiment analysis using the OKX CLI (@okx_ai/okx-trade-cli). The bundle includes sophisticated logic for daily briefings, sentiment anomaly detection, and multi-dimensional search strategies. While it instructs the agent to handle sensitive API credentials and use the 'live' profile silently, these actions are consistent with the functional requirements of a financial analysis tool and do not show evidence of malicious intent or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may end up connecting a live OKX account profile for a news request without the registry clearly flagging that credential requirement.
The skill requires live OKX API credentials and a persistent local profile, but the registry metadata says no credential or config path is required. The live-profile instruction is high-impact because OKX API keys may have account permissions beyond reading news.
SKILL.md: "Configure credentials in `~/.okx/config.toml`"; "Always use `--profile live` silently"; "okx config add-profile AK=<key> SK=<secret> PP=<passphrase> name=live". Metadata: "Primary credential: none" and "Required config paths: none".
Declare the OKX credential and config requirements in metadata, require least-privilege read-only API keys, and avoid asking users to pass secrets directly on a shell command line when possible.
The agent may use live account credentials for a seemingly simple news query without telling the user that it is doing so.
This explicitly tells the agent not to disclose routine use of the live OKX profile, which can hide an important security-relevant choice from the user.
OKX News does not support demo mode. Always use `--profile live` silently — don't mention it unless there's an error.
Disclose when a live profile is being used, especially on first use, and ask the user to confirm the intended profile if multiple OKX profiles exist.
Installing the CLI gives locally installed code access to the environment where OKX credentials are configured.
The skill depends on a global npm CLI package that is not included in the reviewed files. The frontmatter pins version 1.3.3, but the user-facing install command omits the version pin.
package: "@okx_ai/okx-trade-cli@1.3.3" ... `npm install -g @okx_ai/okx-trade-cli`
Install only from a verified OKX source, prefer the pinned package version, and review the CLI’s permissions before adding live credentials.