OKX Onchain OS 安全技能：代币风险分析、DApp钓鱼检测、交易预执行安全、签名授权管理

okx-security by okx/onchainos-skills

879 周安装量

176 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/okx/onchainos-skills --skill okx-security

自动化区块链安全

🇨🇳中文介绍

Onchain OS 安全

提供代币风险分析、DApp 钓鱼检测、交易预执行安全、签名安全及授权管理的 5 条命令。

预执行检查

每次运行任何 onchainos 命令前，请务必按顺序执行以下步骤。不要向用户回显常规命令输出；仅在安装、更新或处理故障时提供简要状态更新。

解析最新稳定版本：从 GitHub API 获取最新的稳定发布标签：

curl -sSL "https://api.github.com/repos/okx/onchainos-skills/releases/latest"

将 tag_name 字段（例如 v1.0.5）提取到 LATEST_TAG 变量中。如果 API 调用失败且 onchainos 已在本地安装，则跳过步骤 2-3 并继续运行命令（用户可能离线或受到速率限制；使用过时的二进制文件总比阻塞操作要好）。如果 onchainos 未安装，则停止并告知用户检查网络连接或从 https://github.com/okx/onchainos-skills 手动安装。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

Better Auth 最佳实践指南：集成、配置与安全设置完整教程

28,500 周安装

OpenClaw技能安全审计指南：skill-vetter工具详解与安装前安全检查

11,600 周安装

Grimoire Polymarket 技能：Polymarket 市场发现、CLOB 数据与订单管理 CLI 工具

11,200 周安装

Better Auth 身份验证技能指南：为 TypeScript/JavaScript 应用添加认证

11,100 周安装

安装或更新：如果未找到 onchainos，或者位于 ~/.onchainos/last_check（Windows 上为 $env:USERPROFILE\.onchainos\last_check）的缓存文件超过 12 小时：

 * 从最新的发布标签下载安装程序及其校验和文件：

   * **macOS/Linux**：`curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh` `curl -sSL "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -o /tmp/installer-checksums.txt`
   * **Windows**：`Invoke-WebRequest -Uri "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.ps1" -OutFile "$env:TEMP\onchainos-install.ps1"` `Invoke-WebRequest -Uri "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -OutFile "$env:TEMP\installer-checksums.txt"`
 * 根据 `installer-checksums.txt` 验证安装程序的 SHA256 哈希值。如果不匹配，**停止**并发出警告——安装程序可能已被篡改。
 * 执行：`sh /tmp/onchainos-install.sh`（或在 Windows 上执行 `& "$env:TEMP\onchainos-install.ps1"`）。安装程序内部会处理版本比较，仅在需要时才下载二进制文件。
 * 如果出现其他故障，请引导用户访问 <https://github.com/okx/onchainos-skills>。

3. 验证二进制文件完整性（每个会话一次）：运行 onchainos --version 获取已安装的版本（例如 1.0.5 或 2.0.0-beta.0）。将已安装的标签构造为 v<version>。下载已安装版本对应标签（不一定是 LATEST_TAG）的 checksums.txt 文件：curl -sSL "https://github.com/okx/onchainos-skills/releases/download/v<version>/checksums.txt" -o /tmp/onchainos-checksums.txt 查找对应的平台目标，并将已安装二进制文件的 SHA256 哈希值与校验和进行比较。如果不匹配，请重新安装（步骤 2）并重新验证。如果仍然不匹配，停止并发出警告。

 * 平台目标 —— macOS：`arm64` -> `aarch64-apple-darwin`，`x86_64` -> `x86_64-apple-darwin`；Linux：`x86_64` -> `x86_64-unknown-linux-gnu`，`aarch64` -> `aarch64-unknown-linux-gnu`，`i686` -> `i686-unknown-linux-gnu`，`armv7l` -> `armv7-unknown-linux-gnueabihf`；Windows：`AMD64` -> `x86_64-pc-windows-msvc`，`x86` -> `i686-pc-windows-msvc`，`ARM64` -> `aarch64-pc-windows-msvc`
 * 哈希命令 —— macOS/Linux：`shasum -a 256 ~/.local/bin/onchainos`；Windows：`(Get-FileHash "$env:USERPROFILE\.local\bin\onchainos.exe" -Algorithm SHA256).Hash.ToLower()`

4. 检查技能版本漂移（每个会话一次）：如果 onchainos --version 显示的版本比此技能的 metadata.version 新，则显示一次性通知，告知用户该技能可能已过时，并建议用户通过其平台的方法重新安装技能。不要阻塞操作。

命令失败时不要自动重新安装。 报告错误并建议用户运行 onchainos --version 或从 https://github.com/okx/onchainos-skills 手动重新安装。
速率限制错误。 如果命令触发速率限制，可能是共享 API 密钥被限制。建议用户在 OKX 开发者门户创建个人密钥。如果用户创建了 .env 文件，提醒他们将其添加到 .gitignore 中。

故障安全原则（关键）

如果任何安全扫描命令因任何原因（网络错误、API 错误、超时、速率限制、响应格式错误）失败，智能体必须：

不继续执行相关的交易、兑换、授权或签名操作。
向用户清晰地报告错误。
建议在继续之前重试扫描。

未能完成的安全扫描不是“通过”。当扫描结果不可用时，始终默认拒绝该操作。

风险行动优先级规则

block > warn > safe（空）。顶层的 action 字段反映了 riskItemDetail 中的最高优先级。

`action` 值	风险等级	智能体行为
（空/null）	低风险	可安全继续
`warn`	中等风险	显示风险详情，要求用户明确确认
`block`	高风险	不继续，显示风险详情，建议取消

即使模拟失败，风险扫描结果仍然有效（simulator.revertReason 可能包含回退原因）。
如果 warnings 字段有内容，表示扫描已完成，但某些数据可能不完整。仍需呈现可用的风险信息。
在成功的 API 响应中，空的或 null 的 action 意味着“未检测到风险”。但如果 API 调用失败，action 的缺失并不意味着安全——请应用故障安全原则。

安全命令不需要钱包登录。它们适用于任何地址。

CLI 接受人类可读的链名称并自动解析。

链	名称	chainIndex
XLayer	`xlayer`	`196`
Ethereum	`ethereum` 或 `eth`	`1`
Solana	`solana` 或 `sol`	`501`
BSC	`bsc` 或 `bnb`	`56`
Polygon	`polygon` 或 `matic`	`137`
Arbitrum	`arbitrum` 或 `arb`	`42161`
Base	`base`	`8453`
Avalanche	`avalanche` 或 `avax`	`43114`
Optimism	`optimism` 或 `op`	`10`
zkSync Era	`zksync`	`324`
Linea	`linea`	`59144`
Scroll	`scroll`	`534352`

地址格式注意：EVM 地址（0x...）在 Ethereum/BSC/Polygon/Arbitrum/Base 等链上通用。Solana 地址（Base58）和 Bitcoin 地址（UTXO）格式不同。不要跨链类型混合使用格式。

---|---|---
1 | onchainos security token-scan | 代币风险/蜜罐检测（所有链）
2 | onchainos security dapp-scan | DApp/URL 钓鱼检测（与链无关）
3 | onchainos security tx-scan | 交易预执行安全（EVM + Solana）
4 | onchainos security sig-scan | 消息签名安全（仅 EVM）
5 | onchainos security approvals | 代币授权 / Permit2 授权查询（仅 EVM）

参考文档加载规则（强制）

在执行任何安全命令之前，你必须从 skills/okx-security/references/ 读取相应的参考文档。不要依赖先验知识——始终先加载参考文档。

用户意图	首先读取此文件
代币安全、蜜罐、这个代币安全吗、代币安全、蜜罐检测、貔貅盘	`references/risk-token-detection.md`
DApp/URL 钓鱼、这个网站安全吗、钓鱼网站	`references/risk-domain-detection.md`
交易安全、交易预执行、签名安全、授权安全、交易安全、签名安全	`references/risk-transaction-detection.md`
授权、额度、Permit2、撤销、授权管理、授权查询、风险授权	`references/risk-approval-monitoring.md`

当工作流涉及多个命令时（例如，先 token-scan 再 tx-scan），在执行每个命令前加载其对应的参考文档。

与其他技能的集成

安全扫描通常是其他钱包操作的前提：

在使用合约代币执行 wallet send 之前：运行 token-scan 以验证代币安全性
在使用包含 approve 调用数据的 wallet contract-call 之前：运行 tx-scan 以检查支出者
在与任何 DApp URL 交互之前：运行 dapp-scan
在签署任何 EIP-712 消息之前：运行 sig-scan

使用 okx-agentic-wallet 技能执行后续的发送/合约调用操作。

🇺🇸English

Onchain OS Security

5 commands for token risk analysis, DApp phishing detection, transaction pre-execution security, signature safety, and approval management.

Pre-flight Checks

Every time before running any onchainos command, always follow these steps in order. Do not echo routine command output to the user; only provide a brief status update when installing, updating, or handling a failure.

Resolve latest stable version : Fetch the latest stable release tag from the GitHub API:

curl -sSL "https://api.github.com/repos/okx/onchainos-skills/releases/latest"

Extract the tag_name field (e.g., v1.0.5) into LATEST_TAG. If the API call fails and onchainos is already installed locally, skip steps 2-3 and proceed to run the command (the user may be offline or rate-limited; a stale binary is better than blocking). If onchainos is not installed, stop and tell the user to check their network connection or install manually from https://github.com/okx/onchainos-skills.

Install or update : If onchainos is not found, or if the cache at ~/.onchainos/last_check ($env:USERPROFILE\.onchainos\last_check on Windows) is older than 12 hours:
- Download the installer and its checksum file from the latest release tag:
  - macOS/Linux : curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh curl -sSL "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -o /tmp/installer-checksums.txt
  - Windows : Invoke-WebRequest -Uri "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.ps1" -OutFile "$env:TEMP\onchainos-install.ps1"

Fail-safe Principle (CRITICAL)

If any security scan command fails for ANY reason (network error, API error, timeout, rate limiting, malformed response), the Agent MUST:

NOT proceed with the associated transaction, swap, approval, or signature.
Report the error clearly to the user.
Suggest retrying the scan before continuing.

A security scan that fails to complete is NOT a "pass". Always default to denying the operation when scan results are unavailable.

Risk Action Priority Rule

block > warn > safe (empty). The top-level action field reflects the highest priority from riskItemDetail.

`action` value	Risk Level	Agent Behavior
(empty/null)	Low risk	Safe to proceed
`warn`	Medium risk	Show risk details, ask for explicit user confirmation
`block`	High risk	Do NOT proceed, show risk details, recommend cancel

Risk scan result is still valid even if simulation fails (simulator.revertReason may contain the revert reason).
If warnings field is populated, the scan completed but some data may be incomplete. Still present available risk information.
An empty/null action in a successful API response means "no risk detected". But if the API call failed , the absence of action does NOT mean safe — apply the fail-safe principle.

Security commands do not require wallet login. They work with any address.

Chain Name Support

The CLI accepts human-readable chain names and resolves them automatically.

Chain	Name	chainIndex
XLayer	`xlayer`	`196`
Ethereum	`ethereum` or `eth`	`1`
Solana	`solana` or `sol`	`501`

Address format note : EVM addresses (0x...) work across Ethereum/BSC/Polygon/Arbitrum/Base etc. Solana addresses (Base58) and Bitcoin addresses (UTXO) have different formats. Do NOT mix formats across chain types.

Command Index

| Command | Description

---|---|---
1 | onchainos security token-scan | Token risk / honeypot detection (all chains)
2 | onchainos security dapp-scan | DApp / URL phishing detection (chain-agnostic)
3 | onchainos security tx-scan | Transaction pre-execution security (EVM + Solana)
4 | onchainos security sig-scan | Message signature security (EVM only)
5 | onchainos security approvals | Token approval / Permit2 authorization query (EVM only)

Reference Loading Rules (MANDATORY)

Before executing ANY security command, you MUST read the corresponding reference document from skills/okx-security/references/. Do NOT rely on prior knowledge — always load the reference first.

User intent	Read this file FIRST
Token safety, honeypot, is this token safe, 代币安全, 蜜罐检测, 貔貅盘	`references/risk-token-detection.md`
DApp/URL phishing, is this site safe, 钓鱼网站	`references/risk-domain-detection.md`
Transaction safety, tx pre-execution, signature safety, approve safety, 交易安全, 签名安全	`references/risk-transaction-detection.md`
Approvals, allowance, Permit2, revoke, 授权管理, 授权查询, 风险授权	`references/risk-approval-monitoring.md`

When a workflow involves multiple commands (e.g., token-scan then tx-scan), load each reference before executing that command.

Integration with Other Skills

Security scanning is often a prerequisite for other wallet operations:

Before wallet send with a contract token: run token-scan to verify token safety
Before wallet contract-call with approve calldata: run tx-scan to check spender
Before interacting with any DApp URL: run dapp-scan
Before signing any EIP-712 message: run sig-scan

Use okx-agentic-wallet skill for the subsequent send/contract-call operations.

Weekly Installs

781

Repository

okx/onchainos-skills

GitHub Stars

173

First Seen

7 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

codex764

opencode761

github-copilot760

amp759

gemini-cli759

cursor759

Invoke-WebRequest -Uri "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -OutFile "$env:TEMP\installer-checksums.txt"

Verify the installer's SHA256 against installer-checksums.txt. On mismatch, stop and warn — the installer may have been tampered with.

Execute: sh /tmp/onchainos-install.sh (or & "$env:TEMP\onchainos-install.ps1" on Windows). The installer handles version comparison internally and only downloads the binary if needed.

On other failures, point to https://github.com/okx/onchainos-skills.

Verify binary integrity (once per session): Run onchainos --version to get the installed version (e.g., 1.0.5 or 2.0.0-beta.0). Construct the installed tag as v<version>. Download checksums.txt for the installed version's tag (not necessarily LATEST_TAG): curl -sSL "https://github.com/okx/onchainos-skills/releases/download/v<version>/checksums.txt" -o /tmp/onchainos-checksums.txt Look up the platform target and compare the installed binary's SHA256 against the checksum. On mismatch, reinstall (step 2) and re-verify. If still mismatched, stop and warn.

Platform targets — macOS: arm64->aarch64-apple-darwin, x86_64->x86_64-apple-darwin; Linux: x86_64->x86_64-unknown-linux-gnu, aarch64->aarch64-unknown-linux-gnu, i686->i686-unknown-linux-gnu, armv7l->armv7-unknown-linux-gnueabihf; Windows: AMD64->x86_64-pc-windows-msvc, x86->i686-pc-windows-msvc, ARM64->aarch64-pc-windows-msvc
Hash command — macOS/Linux: shasum -a 256 ~/.local/bin/onchainos; Windows: (Get-FileHash "$env:USERPROFILE\.local\bin\onchainos.exe" -Algorithm SHA256).Hash.ToLower()

Check for skill version drift (once per session): If onchainos --version is newer than this skill's metadata.version, display a one-time notice that the skill may be outdated and suggest the user re-install skills via their platform's method. Do not block.

Do NOT auto-reinstall on command failures. Report errors and suggest onchainos --version or manual reinstall from https://github.com/okx/onchainos-skills.

Rate limit errors. If a command hits rate limits, the shared API key may be throttled. Suggest creating a personal key at the OKX Developer Portal. If the user creates a .env file, remind them to add .env to .gitignore.