Interactive setup guide for x402 payment-gated APIs. Trigger when user mentions "402", "x402", "payment-gated", or "OKX payments". Asks buyer vs seller, then...
Security Analysis
medium confidenceThe skill's instructions generally match an OKX payments integration, but it asks the user to run remote install scripts and to provide sensitive API credentials while the registry metadata claims no required env vars — these inconsistencies and the pipe-to-shell installs are cause for caution.
Name and description match the instructions: buyer installs OnchainOS CLI/skill and seller implements a server using OKX payment SDKs. However the SKILL.md enumerates required environment variables for the seller (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE, PAY_TO_ADDRESS) while the registry metadata lists no required env vars — that's an inconsistency between claimed requirements and runtime instructions.
The runtime instructions instruct the agent/user to fetch remote scripts (curl|sh and PowerShell irm|iex) and to fetch reference files from raw.githubusercontent.com. Those network actions and running remote installers are expected for installing CLIs, but they expand the agent's runtime surface substantially. The SKILL.md does not instruct reading unrelated local files, but it does direct the user to supply and use sensitive API credentials for the seller path.
No install spec is included in the registry (instruction-only), but SKILL.md recommends piping an install script from raw.githubusercontent.com and using npx to add a skill. The GitHub raw URL is a known host (lower risk than an arbitrary host), but pipe-to-shell (curl|sh, irm|iex) is high-risk practice and should be audited before running.
The credentials requested in SKILL.md (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE, PAY_TO_ADDRESS) are appropriate for a payments seller integration, but the registry declares no required env vars or primary credential. That mismatch is an important coherence issue: the skill runtime expects sensitive secrets that are not declared in the registry metadata. Treat these as sensitive and provide least-privilege / dev-only keys if proceeding.
The skill is instruction-only, not always-enabled, and does not request permanent always:true privilege or cross-skill config changes. It relies on user-installed CLIs/plugins, so it does not itself declare elevated platform persistence.
Guidance
This skill appears to be an interactive setup guide for OKX x402 payments and largely does what it says, but take the following precautions before installing or running anything it recommends: - Verify the publisher and URLs: the install instructions pull scripts from raw.githubusercontent.com and reference OKX repos. Confirm those GitHub repos and the publisher identity yourself (visit the project URLs directly in a browser, review the repo history and owners). - Don't blindly run pipe-to-shell commands (curl | sh or irm | iex). Download the install script, inspect it locally, and run it in a controlled environment (e.g., disposable VM or container) first. - The SKILL.md asks for sensitive API credentials (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE). The registry metadata claims no required env vars — ask the publisher why credentials weren't declared. If you proceed, use least-privilege or dev/test keys and rotate them afterward. - Avoid committing .env or credentials to source control. Follow the SKILL.md advice to never commit credentials. - If you need stronger assurance, request a signed/published release (GitHub release tarball), or ask the publisher for an install artifact you can audit, rather than running raw install scripts. If you are uncomfortable with running remote installers or supplying API secrets, do not install; instead request more provenance (publisher identity, release tags, and a vetted install artifact) or perform the installation in an isolated sandbox.
Latest Release
v1.0.0
OKX x402 Payments skill initial release: - Interactive setup guide for x402 payment-gated APIs, triggered by key terms like "402", "x402", "payment-gated", or "OKX payments". - Clarifies user role as "buyer" or "seller", then provides a tailored, step-by-step setup process. - Buyer path guides installation of OnchainOS CLI and skills, with OS detection and post-install instructions. - Seller path requests preferred language (TypeScript, Go, Rust), then fetches the correct setup reference and enforces key implementation constraints. - Includes clear security notes, environment variable handling, and strict workflow rules for server configuration and payments. - Provides quick-access references to relevant documentation and SDKs.
More by @ok-james-01
Published by @ok-james-01 on ClawHub
