ClawHub

Okx Dex Market

Security checks across malware telemetry and agentic risk

Overview

This OKX market-data skill is mostly coherent, but it should be reviewed because it can automatically run a remote installer and gives conflicting WebSocket guidance involving API credentials.

Install only if you trust the OKX/onchainos GitHub release channel and are comfortable with the agent installing or updating a local CLI. Review WebSocket use carefully, keep API keys in environment variables or ignored .env files, watch payment confirmations, and unset the saved payment default when you no longer want automatic paid Market API calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata explicitly hard-blocks WebSocket script/bot usage to a different skill, but the body later provides direct `onchainos ws` commands and points to a WebSocket protocol reference. That inconsistency can cause an agent to invoke out-of-scope real-time tooling despite the declared routing restriction, increasing the chance of policy bypass or unintended capability use.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The skill is presented as market-data and PnL focused, but the suggested next steps include `swap execute`, which expands into transaction execution. In agent systems, recommendation text often influences tool selection, so this can blur safety boundaries and steer users into higher-risk actions from a read-oriented skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file documents direct WebSocket connectivity for this skill even though the skill metadata explicitly says WebSocket script/脚本/bot requests must route to a different skill. This creates an instruction conflict that can cause an agent to invoke the wrong capability, bypass intended routing boundaries, and mishandle authenticated real-time market access with API credentials.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The title and opening lines frame WebSocket access as part of this skill's supported interface, directly undermining the manifest's hard routing rule. Because agents often rely heavily on headings and introductory text, this mismatch increases the chance of incorrect tool selection and inappropriate exposure of authentication and connection workflows in the wrong skill context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The preflight instructions direct the agent to download and execute a remote installer script (`install.sh` / `install.ps1`), which is a system-modifying action performed without explicit user confirmation. Although checksum verification is mentioned, this still creates a risky auto-execution path: a compromised release pipeline, malicious tagged release, or verification implementation mistake could lead to arbitrary code execution on the host.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal