Orderly One Dex
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent for managing an Orderly One DEX, but it can authenticate with your wallet and change publicly deployed DEX settings, so review write actions before approving them.
This looks like a purpose-aligned, instruction-only API guide. Before using it, verify the Orderly API/MCP source, confirm whether you are using mainnet or testnet, only sign the expected Orderly nonce message, review every write/deploy/domain/graduation payload before it is sent, and only add trusted analytics scripts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent sends the wrong create, update, domain, or deployment request, it could change a public DEX site or configuration.
The skill is intended to trigger external write and deployment operations that can affect a public DEX; this is aligned with the purpose, but mistakes would have visible impact.
Users configure a DEX ... the API forks a GitHub template repo, and GitHub Actions deploys to GitHub Pages.
Before any POST, PUT, deployment, custom-domain, or graduation action, have the agent show the target environment and full request payload and wait for explicit approval.
Signing the authentication message may allow subsequent API actions under your Orderly One identity.
The documented authentication flow uses a wallet signature to authenticate the user to Orderly One. This is expected for the integration, but it grants account-level API access.
Sign: `"Sign this message to authenticate with Orderly One: {nonce}"`Only sign the exact nonce message from the expected Orderly API environment, and do not sign unrelated wallet messages or transactions without separate review.
Endpoint details or behavior could depend on an external tool that was not reviewed here.
The skill depends on an external MCP helper for endpoint details, but that tool is not included in the provided instruction-only artifact set.
Use `get_orderly_one_api_info` MCP tool for full endpoint details.
Verify the MCP server/tool provenance and permissions separately before relying on it for authenticated or write operations.
An incorrect or untrusted analytics script could affect visitors to the deployed DEX.
The API supports an analytics-script field for the generated DEX. This appears purpose-aligned, but scripts added to a public site can execute in users' browsers.
`analyticsScript` | string | Base64 encoded
Only use trusted analytics code, review the decoded script before submission, and avoid letting the agent invent or fetch scripts automatically.