This skill should be used when the user asks to 'find a token', 'search for a token', 'look up PEPE', 'what\'s trending', 'top tokens', 'trending tokens on S...
Security Analysis
medium confidenceThe skill legitimately targets OKX DEX token APIs, but the runtime instructions expect OKX API credentials (and even include hard-coded test keys) while the published metadata declares no required credentials — an incoherence that deserves caution before installing or supplying secrets.
The SKILL.md clearly documents OKX Web3 DEX token endpoints and HMAC auth, which matches the skill name and description. however the registry metadata lists no required environment variables or primary credential, but the instructions explicitly require OKX_API_KEY, OKX_SECRET_KEY, and OKX_PASSPHRASE. That mismatch (metadata claiming no creds vs instructions requiring them) is unexpected and inconsistent.
Instructions are narrowly scoped to calling OKX endpoints and building the HMAC signature; they do not ask the agent to read unrelated system files or exfiltrate arbitrary data. However the provided TypeScript sample falls back to hard-coded 'shared test' API key/secret/passphrase if env vars are not present — this is a dangerous implicit behavior and broadens the effective runtime scope (you may end up using those embedded credentials unintentionally).
This is an instruction-only skill with no install spec and no code files beyond SKILL.md. No downloads or install steps are present, which minimizes install-time risk.
The skill needs API credentials to sign requests (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE) according to SKILL.md, but the registry lists none. Additionally, the sample includes hard-coded secret values (test keys) in the instructions — a poor practice that could cause accidental use of shared credentials or leak if copied. Required env vars are proportionate to the stated goal, but the omission from metadata and the presence of embedded secrets are red flags.
Skill does not request permanent presence (always:false) and does not modify other skills or system settings. It only describes runtime API calls to an external web service.
Guidance
Before installing: (1) confirm you are comfortable the skill will call https://web3.okx.com and will need OKX API credentials; the registry metadata currently does not declare these env vars — ask the publisher to fix that. (2) Do not rely on the hard-coded 'shared test' keys shown in the example; create and provide your own API key with minimal (read-only) permissions. (3) Ask the maintainer to remove embedded secrets from examples and to declare OKX_API_KEY / OKX_SECRET_KEY / OKX_PASSPHRASE in the skill manifest (and mark the primary credential). (4) If you must test without your production key, use a dedicated test account/key with restricted scope. (5) Consider verifying the publisher (owner ID and homepage) independently before supplying credentials.
Latest Release
v1.0.0
okx-dex-token 1.0.0 - Initial release for OKX DEX Token Info API. - Supports token search, metadata, detailed price info, trending token rankings, and holder distribution across 20+ chains. - Enables analytics and discovery for tokens on XLayer, Solana, Ethereum, BSC, Polygon, Arbitrum, Base, and more. - Clear skill boundaries: use for discovery, analytics, and rankings—not for raw prices, charts, or trade history (use okx-dex-market instead). - Authentication via HMAC-SHA256 and environment variables.
More by @ok-james-01
Published by @ok-james-01 on ClawHub
