ClawHub

OlaXBT Nexus Data

v1.0.2

Access OlaXBT Nexus cryptocurrency data APIs — market data, news, KOL tracking, technical indicators, and trading insights. Uses a wallet-linked JWT; no priv...

3· 169·0 current·0 all-time
by@olaxbt-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Nexus data API) match the requested environment access (NEXUS_JWT) and the provided API clients. The skill exposes many data endpoints consistent with a market-data wrapper. Requiring a JWT is expected; no unrelated cloud credentials or system paths are requested.
Instruction Scope
SKILL.md instructs the agent to read NEXUS_JWT (and optional NEXUS_* URLs) and to call the OlaXBT API endpoints via HTTPS; example code and README follow that scope. The instructions do not request other environment variables, files, or send data to unexpected endpoints beyond the documented api.olaxbt.xyz and api-data.olaxbt.xyz URLs.
Install Mechanism
Registry metadata said 'No install spec — instruction-only skill' but the bundle includes a full Python package (pyproject.toml, many src files) and installation instructions (pip install olaxbt-nexus-data). This is not necessarily malicious but is an inconsistency: the skill will write code to disk if installed as a package and has non-trivial dependencies (web3, cryptography, requests, pydantic). Verify the published package on PyPI/GitHub and the integrity of the bundle before installing.
Credentials
Only NEXUS_JWT (and optional NEXUS_AUTH_URL/NEXUS_DATA_URL) are declared and used, which is proportional. However dependencies include web3 and cryptography (capable of wallet/key operations). The SKILL.md and code claim 'no private key in skill', but you should inspect core/auth.py to confirm the package does not prompt for or persist private keys or accept private-key env vars.
Persistence & Privilege
The skill does not request always:true or system config paths and is user-invocable. It does not ask to modify other skills or system-wide settings. Autonomous invocation is permitted (platform default) but not in itself a red flag here.
Assessment
This package appears to implement a JWT-based client for OlaXBT Nexus and only needs your NEXUS_JWT and network access to api.olaxbt.xyz / api-data.olaxbt.xyz. Before installing: 1) Verify the publisher and repository URL (owner ID and homepage are sparse in the registry metadata). 2) Inspect core/auth.py to ensure the client does not accept, store, or require private keys or other secrets beyond the JWT. 3) Confirm that the package on PyPI or GitHub matches the bundle provided here (to avoid supply-chain mismatch). 4) Note the dependencies (web3, cryptography) — these can handle private keys; run the package in a low-privilege environment and avoid supplying private keys to it. 5) If you obtain the JWT via signing, follow the auth flow outside the skill and only set the JWT env var. If you want higher assurance, run the unit tests locally (pytest) and audit network calls (e.g., with a proxy) to confirm the client only communicates with the documented endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk977d2tbzbd489r19ye54d2j0x82zfey

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvNEXUS_JWT

Comments