中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:20 hr ago Rescan
20 /100
okx-dex-signal
Smart money/whale/KOL signal tracking — monitors notable wallet buying activity across supported on-chain DEX chains using the OKX Onchain OS CLI tool.
A pure-documentation skill describing how to install and use the official OKX `onchainos` CLI binary for crypto trading signal tracking. No executable scripts are present; all shell/network operations are fully declared in SKILL.md. The main residual risk is supply chain exposure from downloading and executing an external binary from GitHub, which is standard for CLI tool skills and partially mitigated by SHA256 checksum verification.
Skill Nameokx-dex-signal
Duration41.1s
Enginepi
Safe to install
The skill is safe to use as-is. Be aware that it downloads and executes the `onchainos` binary from OKX's GitHub on first use — ensure your environment permits this. Consider pinning to a specific release tag commit hash for maximum reproducibility.

Findings 2 items

Severity Finding Location
Low
Downloads and executes external binary from GitHub Supply Chain
The skill instructs the agent to download the `onchainos` binary from OKX's GitHub releases and execute the installer script. While checksum verification is performed (SHA256), any compromise of the GitHub release or a MITM on the download would result in arbitrary code execution. This is standard for CLI tool skills but represents a supply chain attack surface.
curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh
→ Consider pinning to a specific release tag commit hash rather than just the semver tag. In a production environment, mirror the release artifacts in a trusted internal artifact store.
 SKILL.md:38
Low
Installer script fetched over HTTPS without pinned certificate Supply Chain
The install.sh and installer-checksums.txt are fetched from raw.githubusercontent.com without explicit TLS certificate pinning or additional integrity controls beyond SHA256 comparison. A sophisticated attacker with a compromised CA could serve malicious content.
curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh
→ Add a GPG signature verification step for the downloaded artifacts if OKX provides signed releases. The current SHA256 verification provides reasonable protection for most threat models.
 SKILL.md:38
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md: Pre-flight steps describe running `sh /tmp/onchainos-install.sh` and `…
Network READ READ ✓ Aligned SKILL.md: curl calls to GitHub API and raw.githubusercontent.com to fetch releas…
Filesystem READ READ ✓ Aligned SKILL.md: Reads ~/.onchainos/last_check and writes to ~/.local/bin/onchainos — b…
2 findings
🔗
Medium External URL 外部 URL
https://web3.okx.com
SKILL.md:8
🔗
Medium External URL 外部 URL
https://web3.okx.com/onchain-os/dev-portal
SKILL.md:71

File Tree

2 files · 14.9 KB · 284 lines
Markdown 2f · 284L
├─ 📁 references
│ └─ 📝 cli-reference.md Markdown 87L · 3.4 KB
└─ 📝 SKILL.md Markdown 197L · 11.6 KB

Security Positives

✓ Pure documentation skill — no executable code present, eliminating embedded malware risk
✓ All shell and network operations are explicitly declared in SKILL.md — no hidden functionality
✓ SHA256 checksum verification is performed on both the installer and the final binary before execution
✓ Binary integrity is re-verified per session by comparing against checksums.txt from the installed version's tag
✓ Skill version drift detection alerts users when the CLI binary is newer than the skill
✓ No credential access or environment variable harvesting — the skill only makes read-only API calls for signal data
✓ No obfuscation, base64, or anti-analysis patterns observed
✓ Rate limit errors guide users to the OKX Developer Portal rather than harvesting keys
✓ References `.env` only in the benign context of reminding users to add it to `.gitignore`
✓ Legitimate OKX-branded tool with proper license (MIT), author, homepage, and version metadata