Use this skill to bridge tokens, cross-chain swap/transfer, move assets between chains, get cross-chain quotes, compare bridge fees, find the cheapest/fastes...
Security Analysis
medium confidenceThe skill mostly matches its stated bridging purpose, but its runtime instructions expect installing and running a separate CLI (download+execute from GitHub) and rely on credentials/JWTs that are not declared — these mismatches deserve caution before installing or running.
The skill claims to perform cross-chain quoting, approvals, swaps and status tracking via an 'onchainos' CLI. That functionality reasonably requires a CLI that talks to OKX APIs and the user's wallet, so expecting an external binary is coherent — however the skill metadata declares no required binaries or credentials even though SKILL.md repeatedly references the 'onchainos' CLI and server-side authentication (JWT or AK env vars). The missing declaration of the CLI and auth requirements is an inconsistency.
SKILL.md and shared files direct the agent to fetch real-time data via the onchainos CLI and to run seven explicit subcommands. The instructions also direct network actions (GitHub API calls, downloading installers, running onchainos commands) and to read sibling shared files for preflight and chain support. Those actions fit the described purpose, but the skill's runtime behavior includes: executing installer scripts downloaded from raw.githubusercontent.com and invoking onchainos which may prompt for or use JWTs/AKs — none of which were declared in the skill manifest.
There is no formal install spec in the registry, but the included preflight.md instructs downloading an install.sh (or install.ps1) from raw.githubusercontent.com and release assets from github.com and then executing the installer. These hosts are standard release channels (GitHub) and the instructions require checksum verification, which reduces risk. Nonetheless, download-and-execute remains a higher-risk action and should be validated by the user (review the installer, verify checksums, and prefer manual install if unsure).
The manifest lists no required environment variables or primary credentials, but the CLI reference and preflight explicitly mention authentication via JWT from 'wallet login' or AK env vars, and suggest creating a personal key (.env) when rate-limited. This is a concrete mismatch: the skill will likely need wallet credentials or API keys to function, yet none are declared. The agent instructions also discuss a 'shared API key' and JWTs, so users should assume secret material will be involved even though the registry metadata omits it.
The skill does not request always:true and does not ask to modify other skills or system-wide settings. The preflight may install a user-level binary under standard user paths (e.g., ~/.local/bin or %USERPROFILE%\.local\bin) and create a per-user cache (~/.onchainos). Those are typical for a CLI tool and are proportionate to the stated purpose.
Guidance
This skill is coherent with a cross-chain CLI workflow but has some gaps you should be aware of before installing or running it: - The SKILL.md expects the 'onchainos' CLI and server authentication (JWT or AK env vars), but the skill metadata lists no required binaries or environment variables. Assume you'll need to install the CLI and provide wallet/API credentials. - The provided preflight instructs downloading an installer (install.sh / install.ps1) from GitHub and executing it. Although it also instructs verifying SHA256 checksums (good practice), downloading-and-running install scripts is inherently risky. Prefer to: - Manually inspect the installer script at the referenced GitHub release before executing it. - Verify the checksum and the release authenticity on GitHub (check the repo, publisher, and release history). - If possible, install the CLI from the official OKX website or package manager instead of via an automated script. - Expect the tool to ask for authentication (wallet login or API key). Do not paste private keys or secrets into untrusted shells; prefer using secure local wallet tooling or ephemeral credentials. - If you need higher assurance, ask the skill publisher for an explicit manifest update that declares the required binary ('onchainos') and any environment variables needed (JWT, AK_*, etc.), or run the CLI in an isolated environment (VM/container) first. Given these mismatches (undeclared CLI and secret usage plus a download-and-execute install flow), treat the skill with caution and validate the installer and auth flows before use.
Latest Release
v2.6.0
okx-dex-bridge 2.6.0 - Adds support for the latest Onchain OS DEX cross-chain swap CLI and workflows. - New, more precise command index: 7 subcommands for bridge, token, quote, approve, calldata swap, execute, and status. - Updated error handling: region restriction messages, improved detection and reporting of unsupported or unbridgeable chain/token pairs (especially EVM vs Solana/Sui/Tron/Ton). - Clarifies native token address support: only EVM ↔ EVM bridging permitted, others listed for future reference. - Bridge/token discovery is now more granular by source/destination chain. - Updates "chain in scope" guidance and strengthens rules for confirming token contract address selection.
More by @ok-james-01
Published by @ok-james-01 on ClawHub
