Okx Security
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be an OKX on-chain security helper, but it can auto-download and run a remote installer and can use a wallet session to execute approval-revocation transactions.
Install only if you trust the OKX/onchainos CLI source. Prefer manually installing and verifying the CLI yourself, and do not let the agent run wallet contract calls or broadcasts unless you have reviewed the exact transaction and explicitly approved it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or updating the skill may run remote code on the user's machine before a scan is performed.
The skill is registered with no install spec, but its runtime instructions fetch the latest remote installer and run it. Checksum verification helps, but the installer and checksum are both obtained from the same release flow and the code being executed is not included in the reviewed artifact set.
Download the installer... raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh ... Verify ... Execute: `sh /tmp/onchainos-install.sh`Require explicit user approval before installing or updating, pin the CLI version, publish a proper install spec, and prefer a reviewed or manually installed binary from a verified OKX source.
A wallet-connected agent could spend gas and change token approvals if the revoke step is run without careful user review.
The approval workflow can progress from detecting risky approvals to executing an on-chain contract call from an Agentic Wallet. It requires a tx-scan first, but the shown workflow does not clearly require explicit user confirmation immediately before the contract-call.
Execute revoke: ... Path B (Agentic Wallet): `onchainos wallet contract-call --to <token_contract> --chain <chain> --input-data <revoke_calldata>`
Before any contract-call or broadcast, show the chain, token contract, spender, calldata, gas impact, and risk result, then require explicit user confirmation.
The skill may use the currently logged-in wallet address and related wallet data for scans.
Using the active Agentic Wallet identity is expected for approval checks, but it means the skill relies on local wallet session state even though the registry lists no primary credential.
If the user does not specify an address, use the EVM address of the currently logged-in Agentic Wallet (from `onchainos wallet status`).
Use only with the intended wallet session, review which address is being scanned, and avoid storing API keys or wallet-related secrets in project files.