Query BingX official announcements by module type — latest announcements, promotions, product updates, maintenance notices, listing/delisting, funding rate,...
Security Analysis
medium confidenceThe skill is internally consistent with its stated purpose — it calls a public, read-only BingX announcements endpoint and requires no credentials or install — but source metadata is minimal and a few documentation requirements are unusual, so verify origins before use.
Name and description match the provided instructions and api-reference: the skill documents a public announcements endpoint and only needs HTTP GETs. No extraneous credentials, binaries, or installs are requested.
Instructions are limited to read-only API requests and summarizing results. Two unusual points: (1) the SKILL mandates including a static header X-SOURCE-KEY: BX-AI-SKILL on every request (not an auth secret, appears to be a tracking/source header), and (2) it requires copying the fetchContent function verbatim. Neither is inherently malicious, but the verbatim requirement is atypical and reduces implementation flexibility. The docs reference a relative file references/base-urls.md that is not included in the provided manifest — callers must ensure BASE_URLS are set to official domains.
This is an instruction-only skill with no install spec and no code files that execute on install. That's the lowest-risk model and matches the declared metadata.
The skill requests no environment variables, no credentials, and no config paths. That is proportionate to accessing a public API. The X-SOURCE-KEY header is a constant (not a secret) declared in the docs.
always is false and the skill does not request persistent privileges or system-wide config changes. It does not instruct modifying other skills or storing credentials.
Guidance
This skill appears to do exactly what it says: fetch public BingX announcements via a read-only API and summarize them. Before installing, confirm you trust the skill's source (owner ID and the missing homepage/source are limited metadata). Also check the BASE_URLS you or the agent will use (the docs reference a missing references/base-urls.md) and prefer the official domain (https://open-api.bingx.com). Be aware the SKILL mandates adding a non-secret header X-SOURCE-KEY: BX-AI-SKILL and copying the provided fetchContent function verbatim — these are unusual constraints but not dangerous by themselves. If you need higher assurance, request a skill with a published source repository or homepage and explicit base-URL configuration.
Latest Release
v0.1.2
- Initial release of the bingx-announcement skill. - Enables querying BingX official announcements by module type (latest, promotions, updates, maintenance, listings, funding, etc.). - Supports language selection (`zh-tw` or `en-us`) and pagination. - Provides a ready-to-use TypeScript fetch helper with strict usage requirements. - No authentication or signature needed; uses public endpoints. - Includes clear parameter and usage rules for easy integration.
Popular Skills
Published by @julian-l on ClawHub
