Use this skill for smart-money/whale/KOL/大户 activity tracking, aggregated buy signal/信号 alerts, and leaderboard/牛人榜 rankings. Covers: (1) address tracker — r...
Security Analysis
medium confidenceThe skill is coherent with its stated purpose (it drives an onchainos CLI) but its runtime instructions tell the agent to download and execute a remote installer and manipulate a local CLI — a behavior that increases risk and deserves manual review before allowing automatic execution.
Name/description match the instructions: the skill is an adapter that issues `onchainos` CLI commands (tracker, signal, leaderboard). Asking the user to ensure the onchainos CLI is present is consistent with the skill's purpose.
SKILL.md (via _shared/preflight.md) instructs the agent to fetch the latest release tag from GitHub, download installer/checksum files, verify SHA256, and run the installer script. Those actions go beyond read-only querying and direct the agent to perform network downloads and execute code on the host; this materially expands the skill's runtime authority.
Although the preflight uses well-known hosts (api.github.com, raw.githubusercontent.com, github.com/releases/download), it explicitly tells the agent to download and execute an installer script. There is no formal install spec in the registry — the install mechanism is embedded in instructions, which increases risk because arbitrary remote code would be executed if followed automatically.
The registry metadata requests no environment variables or credentials. The WebSocket doc describes optional OKX API keys for authenticated WS connections (reasonable and documented), but the skill does not require secrets by default.
The preflight expects to read/write local cache paths (e.g., ~/.onchainos/last_check, ~/.local/bin/onchainos) and to install a binary into the user's environment if missing. The skill is not marked always:true, but following its preflight will produce persistent local state and a new executable — a non-trivial privilege for an instruction-only skill.
Guidance
This skill is functionally coherent (it wraps an onchainos CLI) but its shared preflight tells an agent to download and execute an installer from GitHub and write binaries into your home directory. Before installing or allowing the agent to run these steps: (1) Prefer manual installation — inspect the installer script and checksums yourself on the okx/onchainos-skills GitHub repo; (2) Do NOT let an automated agent run curl|sh or execute installers on your machine without review; (3) If you must allow automatic setup, run it in an isolated environment (VM/container) and verify checksum matches the listed hash; (4) Do not provide API keys or secrets to the skill unless you understand the WebSocket auth flow and trust the service; (5) Note the registry lists no explicit source/homepage — confirm the upstream repository and vendor authenticity before proceeding.
Latest Release
v2.4.0
okx-dex-signal 2.4.0 - Bumped version from 2.2.10 to 2.4.0 in metadata. - No functional or documentation changes in the SKILL.md content. - All features, usage, and instructions remain the same.
More by @ok-james-01
Published by @ok-james-01 on ClawHub
