← Back to Skills Marketplace
1887
Downloads
2
Stars
5
Active Installs
1
Versions
Install in OpenClaw
/install okx-dex
Description
OKX DEX aggregator (v6). Get swap quotes, swap/approve tx data, tokens, and chains.
Usage Guidance
This skill appears to implement a genuine OKX DEX API client, but there are important red flags you should address before installing: (1) The repository/registry metadata does NOT declare the three required secrets although SKILL.md and scripts do — verify the publisher and the provenance. (2) The SKILL.md contains inconsistent variable names (SECRET_KEY vs OKX_SECRET_KEY) and brittle signing snippets; test in a safe environment first. (3) The skill is configured 'always: true' which forces it into every agent session — remove or question this unless you need it always available. If you proceed, only provide API keys with minimal permissions, consider creating a dedicated OKX key you can revoke, and monitor/rotate keys after initial use. If the publisher cannot explain the metadata mismatches and justify always:true, treat the package as untrusted.
Capability Analysis
Type: OpenClaw Skill
Name:
Developer:
Version:
Description: OpenClaw Agent Skill
Suspicious High-Entropy/Eval files: 1
The OpenClaw skill 'okx-dex' is designed to interact with the official OKX DEX aggregator API for cryptocurrency operations. It uses standard tools (`curl`, `jq`, `python3`) to fetch data and construct authenticated API requests to `https://web3.okx.com`. API credentials (`OKX_API_KEY`, `OKX_SECRET_KEY`, `OKX_PASSPHRASE`) are securely accessed from environment variables for HMAC signing and authentication headers, with no evidence of exfiltration or insecure handling. Crucially, the `SKILL.md` includes 'Safety Rules' that explicitly instruct the AI agent to display swap details, warn about risks, and 'NEVER execute without explicit user confirmation,' actively mitigating prompt injection risks and promoting transparency.
Capability Assessment
Purpose & Capability
The SKILL.md and scripts clearly implement an OKX DEX aggregator (requests to https://web3.okx.com, HMAC signing, swap/quote/approve endpoints), which is consistent with the declared purpose. However the registry metadata claims no required environment variables or primary credential while the runtime instructions require OKX API credentials — an inconsistency between declared metadata and actual capability.
Instruction Scope
The runtime instructions and provided test script confine network access to the OKX API base URL and only use curl/jq/python3, which is appropriate for the stated purpose. However there are multiple inconsistencies/bugs in the instructions: several Python signing snippets reference a different env var name (SECRET_KEY) than the documented OKX_SECRET_KEY, and some f-string usages rely on shell expansion in a way that is brittle. These mismatches could cause accidental misuse of the wrong environment variable or failed requests.
Install Mechanism
This is an instruction-only skill (no install spec that downloads/executes remote code). The only required binaries are curl, jq, and python3 — reasonable for the provided shell + python examples and lower risk than arbitrary downloads.
Credentials
The skill legitimately needs OKX_API_KEY, OKX_SECRET_KEY (secret), and OKX_PASSPHRASE to sign API calls, which is proportionate for a DEX aggregator. The problem: the registry metadata lists no required env vars / no primary credential, so the manifest underreports sensitive requirements. Also some code snippets refer to SECRET_KEY instead of OKX_SECRET_KEY, increasing the chance of misconfiguration or accidental use of a differently named secret.
Persistence & Privilege
The skill is flagged always: true which forces it to be included in every agent run. A DEX aggregator does not normally require permanent inclusion; 'always' increases the blast radius if the skill or its environment has issues. Autonomous invocation (disable-model-invocation: false) is the platform default and not itself flagged, but combined with always:true and the requirement for API secrets it raises additional risk.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install okx-dex - After installation, invoke the skill by name or use
/okx-dex - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of okx-dex skill.
- Provides OKX DEX aggregator functionality using the v6 API.
- Supports fetching swap quotes, swap and approval transaction data, token lists, and supported chain information.
- Includes Bash and Python3 code examples for all key DEX endpoints.
- Requires OKX API key, secret, and passphrase environment variables.
- CLI examples cover multi-chain (EVM and non-EVM) swap and token workflows.
Metadata
Frequently Asked Questions
What is okx-dex?
OKX DEX aggregator (v6). Get swap quotes, swap/approve tx data, tokens, and chains. It is an AI Agent Skill for Claude Code / OpenClaw, with 1887 downloads so far.
How do I install okx-dex?
Run "/install okx-dex" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is okx-dex free?
Yes, okx-dex is completely free (open-source). You can download, install and use it at no cost.
Which platforms does okx-dex support?
okx-dex is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created okx-dex?
It is built and maintained by ricky321u (@ricky321u); the current version is v1.0.0.
More Skills