Use this skill when the user mentions 'onchainos ws', 'ws start', 'ws poll', 'ws stop', 'ws channels', 'ws session', 'ws channel-info', 'idle-timeout', 'idle...
Security Analysis
medium confidenceThe skill's purpose (managing OKX DEX WebSocket CLI/scripting) is plausible, but its instructions ask the agent to read files from other local skills and describe HMAC auth without declaring any credential or config requirements — an inconsistency you should investigate before installing.
Name, description and the SKILL.md content consistently describe WebSocket CLI usage and how to write custom WS clients for OKX DEX channels. The commands, channels, endpoint, and protocol details align with the stated purpose.
The runtime instructions explicitly tell the agent to read files outside this skill (e.g., ../okx-agentic-wallet/_shared/preflight.md and ../*/references/ws-protocol.md). The skill manifest declares no config paths or file requirements, so the instructions require access to sibling skill repositories/paths that are not declared — this is a scope mismatch and increases risk because the agent will be instructed to read local files not advertised by the skill.
This is an instruction-only skill with no install spec and no code files. That minimizes on-disk installation risk; nothing is downloaded or executed by the install process itself.
SKILL.md documents that HMAC-SHA256 authentication is required before subscribing to the WS endpoint, but the skill declares no required environment variables, credentials, or config paths. That mismatch means the skill either expects credentials to be supplied dynamically (via the agent or other skills) or the manifest omitted necessary credential declarations. You should confirm where keys/secrets are stored and whether the agent will access wallet/private keys.
The skill is not forced-always, and has no install-time persistence or configuration changes. It does not request system-wide privileges in the manifest.
Guidance
This skill is instruction-only and appears to be about managing OKX DEX WebSocket sessions, which is reasonable — but there are a few mismatches you should resolve before installing or invoking it autonomously: - The SKILL.md tells the agent to read relative files from other skills (preflight.md and several ws-protocol.md files). Verify those files exist locally and inspect them yourself: they could contain additional behavior or requests (including credential usage) not visible in this skill. - The protocol requires HMAC-SHA256 login, yet the manifest lists no credentials or config paths. Ask the skill author (or inspect the referenced preflight/protocol files) to confirm how and where the auth keys are provided. Do not allow the agent access to wallet private keys or system secrets unless you explicitly trust the source and have isolated testing safeguards. - Because this skill reads sibling skill files, ensure you trust the whole onchainos-skills collection it ties into. If you cannot verify the referenced files, prefer running the commands manually in a controlled environment or review the referenced files first. If you plan to enable autonomous invocation, be more cautious: autonomous agents can follow the instructions to read local files and perform WS actions. If you want to proceed, check the referenced files and confirm the credential flow (where HMAC keys live) before granting any runtime access.
Latest Release
v2.6.0
- Added workflow hint for related commands: when using `ws start`, `ws poll`, or `ws stop`, users are now prompted to try the **Wallet Monitor (WebSocket)** workflow. - Updated metadata version to 2.6.0. - No changes to CLI usage, parameters, or feature set.
More by @ok-james-01
Published by @ok-james-01 on ClawHub
