ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Okx Strategy Factory

v2.0.1

Agent Team 工厂:协调 5 个 AI Agent(Strategy/Backtest/Infra/Publish/Iteration)完成 OKX OnchainOS 链上交易策略的全生命周期——开发、回测、部署、发布、迭代。支持多策略并行,每个策略独立状态管理。触发词:策略开发、agent team、...

0· 147·0 current·0 all-time
by@synththoughts
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (develop/backtest/deploy/publish on OKX OnchainOS) legitimately requires onchainos CLI, OKX API credentials, an agent wallet and deploy tooling (SSH/pm2). However the registry metadata lists no required env vars or binaries. Additionally SKILL.md references ./deploy.sh but no deploy.sh is present in the bundle, suggesting missing pieces or reliance on external scripts—this mismatch between declared requirements and actual needs is incoherent.
Instruction Scope
Runtime instructions are narrowly focused on the pipeline (reading roles/, references/, assets/, gating, generating files under Strategy/). They direct agents to run local scripts (assets/publish.sh, hooks/*.sh) and to invoke an onchainos CLI wrapper (via subprocess) for wallet/swap/gateway operations. The instructions do not attempt broad system access beyond the repo tree, but they do require access to credentials and to run deploy/publish procedures that can perform network operations (git push, SSH to VPS, onchainos calls).
Install Mechanism
There is no install spec (instruction-only skill + shipped scripts). No remote downloads or packaged installers are used in the bundle, which reduces supply-chain risk. The provided bash scripts are plain-text and not obfuscated; they perform local file checks, git operations, and gating logic.
!
Credentials
Although the skill bundle itself does not declare required environment variables, the docs and references explicitly expect OKX API keys (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE), an agentic wallet for TEE signing, and optionally 1Password CLI. Those credentials are necessary for the stated purpose (on-chain trading), so their absence from declared requirements is an important inconsistency the user should note before providing secrets.
Persistence & Privilege
The skill does not request always:true and does not declare modifications to other skills or global agent settings. Its scripts operate on repository files (Strategy/*) and can run git push / SSH via deploy/publish workflows — normal for a deployment pipeline but requires user-controlled credentials/targets.
What to consider before installing
What to check before installing or running this skill: - Do not supply OKX API keys, SSH credentials, or 1Password/secret CLI access to this skill unless you trust the author and understand the deployment targets. The README and references expect OKX API keys and an agent wallet, but the registry metadata did not declare them — this mismatch is suspicious. - Review the bundled scripts (assets/publish.sh, hooks/*.sh) and any deploy.sh referenced by SKILL.md. publish.sh can run git commit/push and copy user-specified scripts; ensure any git remote/credentials and the intended commit/push behavior are safe for your environment. - Note deploy.sh is referenced but not included in the package. Confirm where deploy.sh should come from and inspect it before running; automatic deployment to a VPS will require SSH access and can affect live systems. - Test in a sandbox repository / isolated environment first (no real keys, no real VPS) to observe what files the skill reads/writes and what commands it would execute. - If you plan to run real backtests or deploy live, provide credentials via a managed secret store (not direct chat) and limit the keys' scope (trade permissions, restricted IPs) and balance exposure. - If you need clarity from the author: ask where deploy.sh comes from, which git remotes the publish script will push to, and whether the skill collects or transmits any telemetry externally. If the answers are unclear or absent, avoid giving secrets or running deploy/publish steps.

Like a lobster shell, security has layers — review code before you run it.

agent-teamvk97dmfb7qtank279n6610wck7x8373jtdefivk97dmfb7qtank279n6610wck7x8373jtlatestvk97be15fj44eykp3v1phbrx6cn839dvcokxvk97dmfb7qtank279n6610wck7x8373jtpipelinevk97dmfb7qtank279n6610wck7x8373jttradingvk97dmfb7qtank279n6610wck7x8373jt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments