lazy-okx-dca
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONNO_CODE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references the installation of
okx/onchainos-skillsto provide core trading functionality. As OKX is a well-known financial service provider, this dependency is documented as a reputable source. - [CREDENTIALS_UNSAFE]: The skill documentation requires the configuration of highly sensitive environment variables, including
OKX_SECRET_KEYandWALLET_PRIVATE_KEY. It suggests storing these in shell profiles (~/.zshrc,~/.bashrc) or configuration files (openclaw.json). While necessary for automated trading, the use of private keys in these contexts requires careful management by the user. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it integrates external data into its operational workflow.
- Ingestion points: Processes user-defined trading instructions and external market data (quotes, price estimates, and routing information) retrieved from the OKX DEX API.
- Boundary markers: No specific boundary markers or instructions to ignore embedded commands within external API responses are identified in the documentation.
- Capability inventory: Performs on-chain financial transactions, signs data using a wallet private key, and executes token swaps across multiple blockchains.
- Sanitization: There is no documentation regarding the validation or sanitization of data retrieved from the external OKX API before it influences the construction of transactions.
- [NO_CODE]: The provided skill package contains only a markdown manifest and documentation file (
SKILL.md); it does not include internal executable scripts or code.
Audit Metadata