This skill should be used when the user asks to 'broadcast transaction', 'send tx', 'estimate gas', 'simulate transaction', 'check tx status', 'track my tran...
Security Analysis
high confidenceThe skill's runtime instructions legitimately require OKX API credentials and include embedded default keys, but the published metadata declares no required credentials — this mismatch and the presence of hard-coded defaults are concerning and should be resolved before use.
The SKILL.md matches the claimed purpose (gas estimation, simulation, broadcasting, order tracking across many chains) and documents the correct OKX endpoints. However, the skill metadata lists no required environment variables or primary credential even though the instructions explicitly require OKX API credentials for HMAC auth — a clear metadata/purpose mismatch.
Instructions are scoped to calling OKX onchain endpoints and computing HMAC-SHA256 signatures using OKX_API_KEY, OKX_SECRET_KEY, and OKX_PASSPHRASE. They do not ask the agent to read unrelated files or system state. Concern: the doc includes hard-coded default API key/secret/passphrase values used when env vars are absent, which is risky (possible misuse, confusion, or unintended use of shared/test creds). The SKILL.md instructs not to print credentials, which is good, but defaults defeat the explicit requirement to provide your own secrets.
Instruction-only skill with no install spec or code files to install. Lowest install risk; nothing is written to disk by an installer.
The runtime requires sensitive API credentials (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE) appropriate for broadcasting transactions, but the registry metadata declares no required env vars or primary credential. Requiring HMAC-capable API keys is proportionate to the functionality, but the omission in metadata and inclusion of hard-coded defaults is a significant red flag — it obscures what credentials are needed and may lead to accidental use of embedded keys.
The skill does not request permanent presence (always:false), does not modify other skills or system-wide config, and has no install steps that would persist or escalate privileges.
Guidance
This skill's behavior (calling OKX onchain APIs and signing requests) matches its description, but its metadata fails to declare the required credentials and the embedded code includes default API key/secret/passphrase values. Before installing or using it: (1) Verify the skill's source and that it really comes from OKX (homepage in SKILL.md points to web3.okx.com but the registry 'Source' is unknown). (2) Do NOT use or rely on the hard-coded default credentials in the SKILL.md; treat them as untrusted — they may be test keys or stale/compromised. (3) If you supply your OKX API keys, create a key with the minimal privileges needed (broadcast/send only as required), disable withdrawals, and rotate the key after testing. (4) Ask the publisher to update the registry metadata to explicitly list OKX_API_KEY, OKX_SECRET_KEY, and OKX_PASSPHRASE as required env vars and to remove any embedded secrets from documentation. (5) Consider testing calls with a restricted test account first and monitor for unexpected activity. The current inconsistencies make the skill suspicious rather than clearly benign.
Latest Release
v1.0.0
Initial release of okx-onchain-gateway skill: - Provides on-chain transaction operations such as gas estimation, transaction simulation, broadcasting, and order tracking across 20+ blockchains. - Supports key endpoints for gas price retrieval, gas limit estimation, transaction simulation, signed tx broadcasting, and order status tracking. - Authentication via HMAC-SHA256 using API keys and environment variables; credentials must never be exposed to users. - Intended to handle user workflows involving sending, simulating, and tracking on-chain transactions (not for swap quoting/execution or programming queries). - Includes developer quickstart examples, workflow outlines, and guidance on endpoint usage.
More by @ok-james-01
Published by @ok-james-01 on ClawHub
