Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Okx Defi Portfolio
v2.2.10Use this skill to 'check my DeFi positions', 'view DeFi holdings', 'show my DeFi portfolio', 'what DeFi am I invested in', 'show my staking positions', 'show...
⭐ 0· 114·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (viewing DeFi positions/holdings) align with the instructions which call the onchainos CLI to fetch positions and details. However, the SKILL.md repeatedly instructs the agent to run onchainos commands (wallet status/addresses, defi positions/position-detail) but the skill metadata lists no required binaries. The implicit dependency on the onchainos CLI (or equivalent agentic-wallet integration) is expected for this purpose but should have been declared.
Instruction Scope
Instructions are narrowly scoped to resolving an address (via the Agentic Wallet) and running the onchainos defi queries. They do not ask to read arbitrary files, environment variables, or transmit data to unexpected external endpoints. The skill explicitly forbids deposit/redeem/claim actions and directs users to other skills for those operations.
Install Mechanism
No install spec or code is present (instruction-only), so nothing is written to disk. This reduces attack surface. The guidance assumes existing on-chain tooling (onchainos) is available, which is an implicit requirement rather than an installed artifact.
Credentials
The skill declares no environment variables or credentials. However, it instructs the agent to access the Agentic Wallet (wallet status, wallet addresses, account switching) to resolve addresses automatically. Access to wallet addresses (and account lists) is sensitive but proportionate for a portfolio-viewing skill; the SKILL.md does not declare this access in metadata and does not request explicit permission beyond 'confirm the resolved address with the user'.
Persistence & Privilege
The skill does not request always: true and has no install behavior. It does not modify other skills' configuration or claim permanent presence; autonomous invocation is allowed (default) but not combined with other high-risk factors here.
What to consider before installing
This skill appears to be a read-only DeFi portfolio viewer that uses the onchainos CLI / OKX agentic wallet to resolve addresses and query positions. Things to consider before installing:
- The SKILL.md expects the onchainos CLI (or equivalent agent tooling) to be available and instructs running commands like `onchainos wallet status`, `onchainos wallet addresses`, and `onchainos defi positions`, but the skill metadata does not declare that binary as a required dependency. Confirm you have and trust the onchainos tooling the skill will call.
- The skill will automatically attempt to read your Agentic Wallet addresses (and may iterate over multiple account IDs if you ask it to check "all accounts"). That is necessary for its purpose but is sensitive. If you prefer, provide wallet addresses manually when invoking the skill rather than letting it resolve them automatically.
- There is no install step or bundled code (lower surface area), and the instructions explicitly limit actions to viewing positions (not deposits/claims). Still, because the skill can access your wallet addresses, only enable it if you trust the environment that manages your Agentic Wallet and the onchainos tooling.
If you want higher assurance, ask the skill author to: declare the onchainos CLI as a required binary, explicitly document what wallet data will be accessed, and optionally require explicit user consent before enumerating multiple accounts.Like a lobster shell, security has layers — review code before you run it.
latestvk9701nsyrfzcrsznjxybq4btws84yh0h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.