This skill should be used when the user asks to 'check my wallet balance', 'show my token holdings', 'how much OKB do I have', 'what tokens do I have', 'chec...
Security Analysis
medium confidenceThe README-like instructions match the stated purpose (checking wallet balances via OKX API) but the skill metadata omits required environment variables and the instructions embed default API credentials in plaintext — these inconsistencies and embedded secrets are concerning.
The SKILL.md clearly requires OKX API credentials (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE) to call web3.okx.com, which is coherent with a wallet-balance skill. However, the registry metadata claims no required environment variables or primary credential — that mismatches the real runtime requirements and is a meaningful coherence problem.
The instructions stay on-topic: they describe how to sign requests and call OKX endpoints to get balances. They do not request unrelated files or other credentials. However, the included TypeScript example hard-codes fallback API credentials (API key, secret, passphrase) inside the SKILL.md, which goes beyond ordinary example code and creates a risk (accidental use of embedded secrets or exposure).
This is an instruction-only skill with no install spec and no code files to execute on disk, which is the lowest install risk.
Requesting three OKX credentials is proportional to the stated purpose. The concern is that the skill metadata did not declare these env vars, while the instructions access process.env variables. Additionally, the SKILL.md provides default plaintext API key/secret/passphrase values — embedding secrets in the skill content is a poor practice and may be accidental or a leak of test/real credentials.
The skill is not always-enabled and uses the platform default for autonomous invocation. It does not request persistent system-level privileges or modify other skills' configs in the provided instructions.
Guidance
Before installing or enabling this skill, be aware of these points: - Metadata mismatch: The skill's SKILL.md expects three environment variables (OKX_API_KEY, OKX_SECRET_KEY, OKX_PASSPHRASE) but the registry metadata lists none. Confirm you are comfortable providing OKX API credentials if you use the skill. - Embedded secrets: The SKILL.md includes default API key/secret/passphrase values in plaintext. Treat those as suspicious — do not assume they are safe test values. Ask the publisher whether these are intentionally provided test credentials and confirm they are not real or sensitive. - Privacy: To answer queries the skill will send wallet addresses (user-supplied) to web3.okx.com. If you do not want your addresses or derived portfolio data shared with OKX, do not use the skill. - Operational safety: If you proceed, set credentials via a secure secret store or environment variables and ensure the agent does not log or print them. Prefer to verify the publisher (homepage/owner) and request that required env vars be declared in the skill manifest and that embedded secrets be removed. If you cannot verify the source/publisher or if the embedded credentials cannot be explained, treat this skill as untrusted and avoid installing it.
Latest Release
v1.0.0
Initial release of OKX Wallet Portfolio skill, providing multi-chain wallet balance and portfolio lookup. - Supports balance queries for 20+ chains including XLayer, Solana, Ethereum, Base, BSC, Arbitrum, and Polygon. - Enables fetching total wallet value, per-token balances, and specific token holdings. - Includes API authentication setup using HMAC-SHA256 with secure environment variable management. - Provides developer quickstart, endpoint documentation, error handling, and typical cross-skill workflows. - Not designed for code/integration guidance; strictly for user wallet and portfolio queries.
More by @ok-james-01
Published by @ok-james-01 on ClawHub
