Back to skill

Security audit

okx-cex-portfolio

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OKX portfolio skill that can read sensitive account data and perform confirmed internal account changes, with no evidence of hidden or unrelated behavior.

Install only if you want an agent to access your OKX balances, positions, bills, and related account data. Use demo mode first, keep credentials out of chat, verify live versus demo mode before every action, and carefully review any transfer or position-mode change before approving it because live mode can affect real funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill is designed to retrieve highly sensitive financial data such as balances, positions, bills, fee tiers, and account configuration, but it lacks an explicit user-facing privacy warning before exposing that data. In an agent setting, this increases the chance that sensitive account information is fetched and surfaced without the user clearly understanding the privacy implications or the scope of data being revealed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.