← Back to Skills Marketplace
OKX Exchange
by
lk2023060901
· GitHub ↗
· v1.0.1
816
Downloads
0
Stars
3
Active Installs
2
Versions
Install in OpenClaw
/install okx-exchange
Description
OKX quantitative trading agent. Supports spot, USDT-M perpetual swap, and coin-M futures. Strategies: grid trading, trend following (MA/RSI/MACD), spot-futur...
Usage Guidance
This skill appears to be a real OKX trading bot, but there are mismatches you should resolve before installing:
- It needs OKX API keys (demo and optional live keys) and expects you to store them in ~/.openclaw/workspace/.env, yet the registry metadata did not declare any required env vars. Treat this as a red flag: only provide demo keys initially (OKX_SIMULATED=1) and do not add live keys until you audit the code.
- The cron setup uses an 'openclaw' CLI to register recurring jobs that will source your .env and execute monitor/snapshot commands and forward the raw output. Understand and accept that these jobs will periodically run and publish account/position information via your agent channels. If you don't want recurring automation, do not run cron_setup.sh or run 'teardown' after setup.
- Review the code (okx_client.py, execute.py, monitor.py) yourself or run it in a sandboxed/test environment with paper keys. Verify that printing/logging does not leak secrets and that 'require_confirm' and 'auto_trade' prefs are set to safe defaults. Keep OKX_SIMULATED=1 during testing.
- Ensure the workspace .env file is protected (file permissions) and consider using platform-managed secrets instead of plaintext .env. Confirm presence of the 'openclaw' CLI and Python runtime before running cron scripts.
If you want to proceed: run tests and do an initial dry run with OKX_SIMULATED=1 and inspect outputs carefully. If you don't have the expertise to audit the code, treat this skill as high-risk and avoid providing live API keys.
Capability Analysis
Type: OpenClaw Skill
Name: okx-exchange
Version: 1.0.1
The skill is classified as suspicious due to the presence of a configuration option (`OKX_API_URL` in `scripts/okx_client.py`) that allows overriding the API base URL. While not actively exploited by the skill itself, this presents a vulnerability where a compromised environment or a sophisticated prompt injection could redirect API calls to a malicious server, potentially leading to credential harvesting or unauthorized actions. Additionally, the use of `openclaw cron add` in `scripts/cron_setup.sh`, while used defensively with strong anti-prompt-injection messages, represents a powerful capability that could be abused if the agent were manipulated to create malicious cron jobs. No clear evidence of intentional harmful behavior (e.g., data exfiltration to unauthorized endpoints, backdoors, or direct malicious execution) was found. The skill includes several safety features like simulated trading mode, order confirmation, and explicit instructions against credential logging.
Capability Assessment
Purpose & Capability
The skill's declared registry metadata lists no required environment variables or binaries, yet the SKILL.md and README instruct the user to add OKX_API_KEY / OKX_SECRET_KEY / OKX_PASSPHRASE (and LIVE variants) into ~/.openclaw/workspace/.env and to run Python scripts. The cron helper requires an 'openclaw' CLI to be present but that binary is not declared. The absence of declared credentials and required CLI/tools in metadata is an incoherence: a trading skill legitimately needs API keys and a runtime, so those should be declared.
Instruction Scope
Runtime instructions explicitly tell the agent/user to source ~/.openclaw/workspace/.env (loading API keys) every session and to run scripts that will read/write memory files and execute trades. The cron_setup.sh creates scheduled jobs whose messages instruct the cron agent to 'source ~/.openclaw/workspace/.env' and to execute snapshot and monitor commands and 'send the raw output' — meaning account snapshots and monitor outputs (which include balances/positions) will be periodically produced and emitted by the agent. The instructions allow skipping confirmations and switching to live mode with separate live env vars, so misconfiguration could lead to autonomous live trading. These behaviors are within the stated trading purpose, but they broaden what gets read/transmitted (sensitive account data) and grant the skill the ability to schedule recurring automated actions — all of which should be explicit in metadata and reviewed by the user.
Install Mechanism
No formal install spec is declared (instruction-only install), but the bundle contains many Python scripts and a requirements.txt recommending 'pip install -r requirements.txt'. There are no downloads from untrusted URLs or extracted archives. The lack of an automated install step means the user must run pip/setup manually; that's acceptable but should be made explicit in registry metadata. No direct evidence of malicious install sources.
Credentials
The skill requires sensitive OKX API credentials to function (demo and live keys), but the registry's required env vars list is empty — a mismatch that can mislead users and automated permission systems. The code persists state and journals under ~/.openclaw/workspace/memory and instructs to store keys in ~/.openclaw/workspace/.env; storing credentials in a workspace file is convenient but increases risk if that file is not properly protected. Multiple env names (demo vs LIVE) are justified by live/paper modes, but the omission from metadata is a meaningful coherence problem.
Persistence & Privilege
always:false (good). However, cron_setup.sh programmatically registers periodic jobs via 'openclaw cron add' that will run the skill's monitoring and snapshot commands and instruct the cron agent to 'send' outputs. That creates persistent automation (periodic account snapshots and scans) and will run with sourced env keys. This is expected for a trading bot but increases the skill's ongoing footprint and potential blast radius if keys are compromised or misconfigured. The skill does not request to modify other skills' configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install okx-exchange - After installation, invoke the skill by name or use
/okx-exchange - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Translated all documentation and SKILL.md to English only
v1.0.0
Initial release: spot/swap/futures trading, grid/trend/arb strategies, SL/TP automation, liquidation risk alerts, performance reports, learning system
Metadata
Frequently Asked Questions
What is OKX Exchange?
OKX quantitative trading agent. Supports spot, USDT-M perpetual swap, and coin-M futures. Strategies: grid trading, trend following (MA/RSI/MACD), spot-futur... It is an AI Agent Skill for Claude Code / OpenClaw, with 816 downloads so far.
How do I install OKX Exchange?
Run "/install okx-exchange" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OKX Exchange free?
Yes, OKX Exchange is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OKX Exchange support?
OKX Exchange is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OKX Exchange?
It is built and maintained by lk2023060901 (@lk2023060901); the current version is v1.0.1.
More Skills