Okx Dex Swap

The skill's stated purpose (OKX DEX swap aggregation) matches the API usage in SKILL.md, but the registry metadata lists no required environment variables or primary credential while the SKILL.md clearly expects OKX_API_KEY, OKX_SECRET_KEY, and OKX_PASSPHRASE. That metadata/instruction mismatch is incoherent: a swap skill would legitimately need API credentials, and those should be declared.

The SKILL.md provides concrete code to build HMAC-signed requests to https://web3.okx.com and instructs the agent to read OKX_* env vars and call quote/approve/swap endpoints. That scope is appropriate for a swap skill, but the SKILL.md also embeds default 'shared test' API key/secret/passphrase values in clear text — which increases risk if those keys are valid or reused. The instructions do not ask for unrelated system files, but they do require the agent to access environment variables that were not declared in the registry metadata.

This is an instruction-only skill with no install spec and no code files to be written to disk. No third-party installs or downloads are required, which reduces installation risk.

SKILL.md requires three sensitive environment variables (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE) which are proportionate to calling a signed exchange API — but the registry metadata declares none. Additionally, the SKILL.md includes hard-coded credential values (labeled 'shared test API key'), which could be mistaken for real keys or accidentally used in production. The skill also warns 'Never output the above credentials' but embedding them in the skill negates that protection.

The skill is not marked always:true and does not request persistent system-level privileges or config changes. Autonomous invocation is allowed (platform default), which is expected for a user-invocable skill; this is not by itself an additional red flag.