Use this skill to 'check my DeFi positions', 'view DeFi holdings', 'show my DeFi portfolio', 'what DeFi am I invested in', 'show my staking positions', 'show...
Security Analysis
medium confidenceThe skill appears to do what it says (view DeFi positions) and has no declared secrets or installs, but its runtime instructions rely on the onchainos CLI and other OKX agentic-wallet skills while the metadata declares no required binaries or dependencies — an internal inconsistency worth clarifying before install.
SKILL.md repeatedly instructs the agent to run the onchainos CLI (e.g., `onchainos defi positions`, `onchainos wallet status`, `wallet switch`) and references other OKX skills (okx-agentic-wallet, okx-defi-invest). However, the skill metadata lists no required binaries, no install steps, and no primary credential. The use of a specific CLI without declaring it is an incoherence: a legitimate viewer skill should declare that onchainos (or equivalent) must be present or provide an install path.
The instructions are narrowly scoped to querying DeFi positions and resolving wallet addresses via the Agentic Wallet. They do not instruct reading arbitrary files or exporting data to external endpoints. They do instruct potentially enumerating multiple accounts (via `wallet balance --all` and `wallet switch <id>`) and require the agent to access wallet status and addresses — which is relevant to the stated purpose but should be explicitly disclosed.
This is an instruction-only skill with no install spec and no code files, so it does not write or install code. That minimizes install risk. The remaining issue is the missing declaration that the onchainos CLI (or equivalent) is required on the host.
The skill requests no environment variables, no credentials, and no config paths in metadata. The runtime instructions do access wallet state via the Agentic Wallet, but this access is consistent with viewing on-chain positions and is not requesting unrelated secrets or cloud credentials.
Flags are default (not always:true). The skill permits autonomous invocation (platform default). There is no indication it writes persistent system-wide configuration or modifies other skills. Note: because it accesses Agentic Wallet state, autonomous invocation combined with unclear dependency declarations could increase risk if the wallet integration is misconfigured.
Guidance
This skill is broadly consistent with a DeFi-position viewer, but it omits an important dependency: the SKILL.md expects the onchainos CLI and references OKX agentic-wallet operations while the metadata declares no required binaries or install steps. Before installing, ask the publisher to: 1) explicitly declare required binaries (e.g., onchainos) or provide an install method; 2) confirm which other OKX skills it depends on (okx-agentic-wallet, okx-defi-invest) and whether those are installed or required; 3) confirm the skill will only read wallet status/addresses and will never execute transactions (the docs say 'do NOT use for deposit/redeem/claim' but verify enforcement). If you do install, ensure the Agentic Wallet integration is configured so the agent prompts and you confirm addresses before queries (the skill instructs confirmation, but confirm behavior is enforced). Because no credentials are requested in metadata this is lower-risk, but the undeclared CLI dependency is an inconsistency that should be resolved.
Latest Release
v2.6.0
**Summary:** Improves routing logic for DeFi portfolio queries, ensuring correct skill usage when users mention specific DApps by name. - Updated routing rules to use okx-dapp-discovery when the user names a specific third-party DApp (e.g. "my Aave positions"). - Clarified description and guidance to avoid using this skill for protocol-native views or explicit DApp requests. - No changes to commands, chain support, or display rules.
More by @ok-james-01
Published by @ok-james-01 on ClawHub
