ClawHub

OKX MCP Skill

v1.0.1

Use OKX OnchainOS MCP through UXC for token discovery, market data, wallet balance, and swap execution planning. Use when tasks need OKX MCP tools such as to...

0· 420·2 current·2 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (OKX MCP via UXC) matches the instructions (calls to web3.okx.com via uxc/okx-mcp-cli). However the metadata declares no required binaries or env vars while the runtime instructions explicitly require the 'uxc' CLI, a linked 'okx-mcp-cli', network access to https://web3.okx.com/api/v1/onchainos-mcp, and an OKX API key. That mismatch (declared nothing vs. instructions needing tools/keys) is incoherent.
!
Instruction Scope
SKILL.md instructs the agent to run commands (uxc, okx-mcp-cli) and to configure credentials using either an env var (OKX_ACCESS_KEY) or an operator secret path (op://Engineering/okx/OK-ACCESS-KEY). Those instructions access environment/secret sources that are not declared in metadata. The docs also embed a literal demo API key for read-only trials — useful for testing but increases risk if users copy it unintentionally into production credentials.
Install Mechanism
This is an instruction-only skill with no install spec; nothing is downloaded or written by the skill itself. The included scripts/validate.sh are repo-validation helpers and not part of runtime installation, so install risk is low.
!
Credentials
Requesting an OKX API key is appropriate for the stated purpose, but the skill metadata lists no required env vars and no primary credential while the SKILL.md references OKX_ACCESS_KEY and an op:// secret source. The example op:// path (op://Engineering/okx/...) suggests an operator vault path — it's only an example, but it could confuse users into granting or pointing to broader secrets than necessary. Overall the credential handling is plausible but not proportionately declared or explained.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It does not modify other skills or system-wide settings in the instructions. Default autonomous invocation is allowed (platform default) and is not, by itself, a red flag here.
What to consider before installing
Key issues to consider before installing: (1) SKILL.md requires the 'uxc' CLI and uses a linked command 'okx-mcp-cli' but the skill metadata advertises no required binaries — ensure you have uxc installed and trust that CLI. (2) The skill expects an OKX API key (examples show OKX_ACCESS_KEY or op:// vault paths) but metadata doesn't declare required env vars; do not store sensitive keys in places you don't control. (3) The README includes a public demo API key — fine for read-only testing but replace it for production. (4) The op:// example references an organizational secret path; confirm you understand where secrets would be stored and that you won't accidentally grant access to broader vaults. (5) If you need stronger assurance, ask the publisher to update metadata to declare required binaries (uxc, okx-mcp-cli) and env vars, and to remove or clearly label any demo keys / example secret paths. Run this skill in a restricted environment until you verify behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk974mfkxeb0wfcvy16fz7sz46h8289nf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments