OKX API
v1.0.0This skill should be used when the user asks to "query OKX account balance", "place an order on OKX", "get OKX market data", "check OKX positions", "cancel O...
⭐ 0· 506·3 current·3 all-time
by風魔小次郎@xhfkindergarten
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The files and SKILL.md implement the stated purpose (OKX REST/WebSocket access, signing, example scripts). However, the registry metadata lists no required environment variables or primary credential even though the code and documentation require OKX_API_KEY, OKX_SECRET_KEY, and OKX_PASSPHRASE. That metadata omission is an inconsistency (likely an oversight) that reduces transparency.
Instruction Scope
Runtime instructions explicitly direct the agent (and the user) to store API credentials in ~/.openclaw/openclaw.json under the top-level env field so OpenClaw will inject them into agent environments. This grants broad exposure of sensitive keys to every agent session and to other skills. Other than that, the SKILL.md stays within scope (describes endpoints, signing, demo header, and uses only OKX endpoints).
Install Mechanism
No install specification or remote downloads are present (instruction-only plus local Python scripts), and all code files are bundled. No external installers, URL downloads, or archive extraction steps were found.
Credentials
The skill legitimately needs OKX_API_KEY, OKX_SECRET_KEY, and OKX_PASSPHRASE for private endpoints and OKX_DEMO for sandbox use; those are used directly by the code. But the registry metadata does not declare these required env vars. More importantly, the recommended placement (top-level env in ~/.openclaw/openclaw.json) causes the credentials to be injected into every agent session, which is broader than strictly necessary and raises risk of unintended credential access by other skills or agent actions.
Persistence & Privilege
The skill is not set to always:true and is user-invocable; it does not request elevated platform privileges or modify other skills. However, because OpenClaw will inject top-level env variables into every agent session (per the SKILL.md guidance), the combination of autonomous skill invocation (default) with broadly scoped credentials increases the blast radius if an agent or another skill is compromised. Consider restricting autonomous actions or credential scope.
What to consider before installing
This skill is functionally coherent for interacting with OKX, but review these before installing: (1) The registry metadata omits the required OKX_API_KEY / OKX_SECRET_KEY / OKX_PASSPHRASE variables — expect to supply them. (2) The SKILL.md recommends adding those keys to the top-level ~/.openclaw/openclaw.json env field, which causes OpenClaw to inject the keys into every agent session — consider using per-skill or per-agent scoped secrets instead, or limit which agents/skills can access them. (3) Use sandbox/demo keys (OKX_DEMO=1) while testing and restrict API key permissions (no withdrawal, IP whitelist, minimal trading permissions) and rotate keys regularly. (4) Because the skill can place/cancel orders, ensure you (a) require explicit confirmations for any real-trading actions, (b) review the example scripts (they include a prompt for real orders), and (c) audit the code or prefer installing from a trusted repository. If you need higher assurance, ask the publisher to update registry metadata to declare required env vars and to document safer credential storage options.Like a lobster shell, security has layers — review code before you run it.
latestvk974s0k7gb5a2kgbw167vzg5qh82egkn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.