中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:23 小时前 重新扫描
20 /100
okx-dex-signal
Smart money/whale/KOL signal tracking — monitors notable wallet buying activity across supported on-chain DEX chains using the OKX Onchain OS CLI tool.
A pure-documentation skill describing how to install and use the official OKX `onchainos` CLI binary for crypto trading signal tracking. No executable scripts are present; all shell/network operations are fully declared in SKILL.md. The main residual risk is supply chain exposure from downloading and executing an external binary from GitHub, which is standard for CLI tool skills and partially mitigated by SHA256 checksum verification.
技能名称okx-dex-signal
分析耗时41.1s
引擎pi
可以安装
The skill is safe to use as-is. Be aware that it downloads and executes the `onchainos` binary from OKX's GitHub on first use — ensure your environment permits this. Consider pinning to a specific release tag commit hash for maximum reproducibility.

安全发现 2 项

严重性 安全发现 位置
低危
Downloads and executes external binary from GitHub 供应链
The skill instructs the agent to download the `onchainos` binary from OKX's GitHub releases and execute the installer script. While checksum verification is performed (SHA256), any compromise of the GitHub release or a MITM on the download would result in arbitrary code execution. This is standard for CLI tool skills but represents a supply chain attack surface.
curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh
→ Consider pinning to a specific release tag commit hash rather than just the semver tag. In a production environment, mirror the release artifacts in a trusted internal artifact store.
 SKILL.md:38
低危
Installer script fetched over HTTPS without pinned certificate 供应链
The install.sh and installer-checksums.txt are fetched from raw.githubusercontent.com without explicit TLS certificate pinning or additional integrity controls beyond SHA256 comparison. A sophisticated attacker with a compromised CA could serve malicious content.
curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh
→ Add a GPG signature verification step for the downloaded artifacts if OKX provides signed releases. The current SHA256 verification provides reasonable protection for most threat models.
 SKILL.md:38
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md: Pre-flight steps describe running `sh /tmp/onchainos-install.sh` and `…
网络访问 READ READ ✓ 一致 SKILL.md: curl calls to GitHub API and raw.githubusercontent.com to fetch releas…
文件系统 READ READ ✓ 一致 SKILL.md: Reads ~/.onchainos/last_check and writes to ~/.local/bin/onchainos — b…
2 项发现
🔗
中危 外部 URL 外部 URL
https://web3.okx.com
SKILL.md:8
🔗
中危 外部 URL 外部 URL
https://web3.okx.com/onchain-os/dev-portal
SKILL.md:71

目录结构

2 文件 · 14.9 KB · 284 行
Markdown 2f · 284L
├─ 📁 references
│ └─ 📝 cli-reference.md Markdown 87L · 3.4 KB
└─ 📝 SKILL.md Markdown 197L · 11.6 KB

安全亮点

✓ Pure documentation skill — no executable code present, eliminating embedded malware risk
✓ All shell and network operations are explicitly declared in SKILL.md — no hidden functionality
✓ SHA256 checksum verification is performed on both the installer and the final binary before execution
✓ Binary integrity is re-verified per session by comparing against checksums.txt from the installed version's tag
✓ Skill version drift detection alerts users when the CLI binary is newer than the skill
✓ No credential access or environment variable harvesting — the skill only makes read-only API calls for signal data
✓ No obfuscation, base64, or anti-analysis patterns observed
✓ Rate limit errors guide users to the OKX Developer Portal rather than harvesting keys
✓ References `.env` only in the benign context of reminding users to add it to `.gitignore`
✓ Legitimate OKX-branded tool with proper license (MIT), author, homepage, and version metadata