This skill should be used when the user asks 'what\'s the price of OKB', 'check token price', 'how much is OKB', 'show me the price chart', 'get candlestick...
Security Analysis
medium confidenceThe skill's purpose (fetching on-chain token prices/candles/trades from OKX) matches its instructions, but there are important inconsistencies and risky artifacts — notably undocumented credential requirements and embedded default secret values in the SKILL.md — that merit caution before installing.
The name/description match the SKILL.md: it documents endpoints for prices, candlesticks, trades and index prices on web3.okx.com. However, the registry metadata claims 'Required env vars: none' while the SKILL.md explicitly instructs reading OKX_API_KEY, OKX_SECRET_KEY, and OKX_PASSPHRASE. That mismatch reduces trust.
SKILL.md contains concrete runtime instructions to sign HMAC requests and to read environment variables for API key, secret, and passphrase. It includes TypeScript code showing how to construct signatures and call endpoints. The instructions do not ask for unrelated system files, but they do embed default 'shared test' API key/secret/passphrase values directly in the document (which is risky and inconsistent with 'Never output the above credentials').
This is an instruction-only skill with no install spec and no code files to be written to disk. That is the lowest install risk and matches the absence of an install step.
The credentials requested in SKILL.md (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE) are proportionate to the stated purpose (authenticated OKX API calls). However, the skill metadata does not declare these required env vars, so the agent may not surface the need for secrets at install time. More critically, SKILL.md embeds default API secret/passphrase values inline — exposing secrets in docs is unsafe and could indicate test keys are being reused or leaked.
always is false, no install hooks, and the skill does not request persistent system-wide changes or access to other skills' configuration. It does allow normal autonomous invocation (platform default), which is expected for skills.
Guidance
This skill appears to do what it says (fetch OKX on-chain market data), but two practical issues need attention before you install or use it: - Metadata mismatch: The registry says no environment variables are required, but the SKILL.md requires OKX_API_KEY, OKX_SECRET_KEY, and OKX_PASSPHRASE. Ask the publisher to update the metadata so the platform will prompt for these credentials explicitly. - Embedded secret values: The SKILL.md includes default API key/secret/passphrase strings in its example code. Treat those as suspicious — verify whether they are harmless test keys and DO NOT reuse them for production. Prefer creating a dedicated API key with minimal privileges, and rotate it if you ever used the embedded values. - Least privilege and monitoring: If you provide credentials, supply a key with read-only or limited scope and monitor its usage. Consider scoping the key to the on-chain price endpoints only (if OKX supports that). - Source and provenance: The skill lists 'author: okx' and homepage web3.okx.com, but registry source is unknown. Confirm the publisher identity (official OKX channel) before trusting secrets or allowing autonomous invocation. If you cannot verify the author or why the embedded defaults exist, avoid installing or providing real API credentials until those questions are resolved.
Latest Release
v1.0.0
- Initial release of okx-dex-market skill (v1.0.0). - Provides on-chain price feeds, candlestick charts (K-line), recent trade logs, and index price data across 20+ blockchains. - Supports real-time price queries, historical price trends, trade history, and multi-source aggregate prices. - Clearly distinguishes use cases from okx-dex-token (analytics, search, market cap). - Includes developer setup details, authentication guides, main endpoints, and quickstart code samples. - Offers cross-skill workflow recommendations for research and price monitoring scenarios.
More by @ok-james-01
Published by @ok-james-01 on ClawHub
