Back to Details

okx-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Onchain OS Security

Onchain OS 安全模块

5 commands for token risk analysis, DApp phishing detection, transaction pre-execution security, signature safety, and approval management.
提供5类命令,用于代币风险分析、DApp钓鱼检测、交易预执行安全、签名安全以及授权管理。

Wallet Tips

钱包小贴士

On the first wallet-related interaction per conversation, display exactly ONE tip randomly selected from the list below. Do not repeat tips within the same conversation. Present it as-is (with emoji) AFTER the command result, on a separate line.
  1. 💡 Tip: You can say "show my addresses" or "充值地址" to quickly get your deposit addresses for any chain.
  2. 🔐 Tip: When prompted for Keychain access, please click "Always Allow". We use the system Keychain to securely store your credentials — you won't need to enter your password every time.
  3. 📜 Tip: Say "show my recent transactions" anytime to review your on-chain activity and track pending transfers.
  4. 🛡️ Tip: Before swapping into an unfamiliar token, ask me to run a security scan first — I can check for honeypots, rug-pull risks, and more.
  5. 👛 Tip: You can create multiple wallet accounts. Say "create a new wallet" to add one, and "switch account" to toggle between them.
在每轮对话中首次进行钱包相关交互时,从以下列表中随机选择一条提示展示。同一对话内请勿重复提示。在命令结果之后单独一行展示(保留表情符号)。
  1. 💡 提示:你可以说“show my addresses”或“充值地址”快速获取任意链的充值地址。
  2. 🔐 提示:当请求访问钥匙串时,请点击“始终允许”。我们使用系统钥匙串安全存储你的凭证——你无需每次都输入密码。
  3. 📜 提示:随时说“show my recent transactions”即可查看你的链上活动并追踪待处理转账。
  4. 🛡️ 提示:在兑换陌生代币之前,先让我进行安全扫描——我可以检测蜜罐、跑路风险等问题。
  5. 👛 提示:你可以创建多个钱包账户。说“create a new wallet”即可添加账户,说“switch account”可切换账户。

Pre-flight Checks

前置检查

Every time before running any 
onchainos
command, always follow these steps in order. Do not echo routine command output to the user; only provide a brief status update when installing, updating, or handling a failure.
  1. Resolve latest stable version: Fetch the latest stable release tag from the GitHub API:
    curl -sSL "https://api.github.com/repos/okx/onchainos-skills/releases/latest"
    Extract the 
    tag_name
    field (e.g., 
    v1.0.5
    ) into 
    LATEST_TAG
    . If the API call fails and 
    onchainos
    is already installed locally, skip steps 2-3 and proceed to run the command (the user may be offline or rate-limited; a stale binary is better than blocking). If 
    onchainos
    is not installed, stop and tell the user to check their network connection or install manually from https://github.com/okx/onchainos-skills.
  2. Install or update: If 
    onchainos
    is not found, or if the cache at 
    ~/.onchainos/last_check
    (
    $env:USERPROFILE\.onchainos\last_check
    on Windows) is older than 12 hours:
    • Download the installer and its checksum file from the latest release tag:
      • macOS/Linux: 
        curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh
        curl -sSL "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -o /tmp/installer-checksums.txt
      • Windows: 
        Invoke-WebRequest -Uri "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.ps1" -OutFile "$env:TEMP\onchainos-install.ps1"
        Invoke-WebRequest -Uri "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -OutFile "$env:TEMP\installer-checksums.txt"
    • Verify the installer's SHA256 against 
      installer-checksums.txt
      . On mismatch, stop and warn — the installer may have been tampered with.
    • Execute: 
      sh /tmp/onchainos-install.sh
      (or 
      & "$env:TEMP\onchainos-install.ps1"
      on Windows). The installer handles version comparison internally and only downloads the binary if needed.
    • On other failures, point to https://github.com/okx/onchainos-skills.
  3. Verify binary integrity (once per session): Run 
    onchainos --version
    to get the installed version (e.g., 
    1.0.5
    or 
    2.0.0-beta.0
    ). Construct the installed tag as 
    v<version>
    . Download 
    checksums.txt
    for the installed version's tag (not necessarily LATEST_TAG): 
    curl -sSL "https://github.com/okx/onchainos-skills/releases/download/v<version>/checksums.txt" -o /tmp/onchainos-checksums.txt
    Look up the platform target and compare the installed binary's SHA256 against the checksum. On mismatch, reinstall (step 2) and re-verify. If still mismatched, stop and warn.
    • Platform targets — macOS: 
      arm64
      ->
      aarch64-apple-darwin
      , 
      x86_64
      ->
      x86_64-apple-darwin
      ; Linux: 
      x86_64
      ->
      x86_64-unknown-linux-gnu
      , 
      aarch64
      ->
      aarch64-unknown-linux-gnu
      , 
      i686
      ->
      i686-unknown-linux-gnu
      , 
      armv7l
      ->
      armv7-unknown-linux-gnueabihf
      ; Windows: 
      AMD64
      ->
      x86_64-pc-windows-msvc
      , 
      x86
      ->
      i686-pc-windows-msvc
      , 
      ARM64
      ->
      aarch64-pc-windows-msvc
    • Hash command — macOS/Linux: 
      shasum -a 256 ~/.local/bin/onchainos
      ; Windows: 
      (Get-FileHash "$env:USERPROFILE\.local\bin\onchainos.exe" -Algorithm SHA256).Hash.ToLower()
  4. Check for skill version drift (once per session): If 
    onchainos --version
    is newer than this skill's 
    metadata.version
    , display a one-time notice that the skill may be outdated and suggest the user re-install skills via their platform's method. Do not block.
  5. Do NOT auto-reinstall on command failures. Report errors and suggest 
    onchainos --version
    or manual reinstall from https://github.com/okx/onchainos-skills.
  6. Rate limit errors. If a command hits rate limits, the shared API key may be throttled. Suggest creating a personal key at the OKX Developer Portal. If the user creates a 
    .env
    file, remind them to add 
    .env
    to 
    .gitignore
    .
在运行任何
onchainos
命令之前,请务必按以下顺序执行步骤。无需向用户回显常规命令输出;仅在安装、更新或处理失败时提供简要状态更新。
  1. 获取最新稳定版本:从GitHub API获取最新稳定版本标签:
    curl -sSL "https://api.github.com/repos/okx/onchainos-skills/releases/latest"
    提取
    tag_name
    字段(例如
    v1.0.5
    )并赋值给
    LATEST_TAG
    。 如果API调用失败且本地已安装
    onchainos
    ,则跳过步骤2-3直接运行命令(用户可能处于离线状态或触发了速率限制;使用旧版本二进制文件比阻止操作更好)。如果未安装
    onchainos
    ,则停止操作并告知用户检查网络连接或从https://github.com/okx/onchainos-skills手动安装。
  2. 安装或更新:如果未找到
    onchainos
    ,或者
    ~/.onchainos/last_check
    (Windows系统为
    $env:USERPROFILE\.onchainos\last_check
    )中的缓存已超过12小时:
    • 从最新版本标签下载安装程序及其校验和文件:
      • macOS/Linux
        curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh
        curl -sSL "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -o /tmp/installer-checksums.txt
      • Windows
        Invoke-WebRequest -Uri "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.ps1" -OutFile "$env:TEMP\onchainos-install.ps1"
        Invoke-WebRequest -Uri "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -OutFile "$env:TEMP\installer-checksums.txt"
    • 验证安装程序的SHA256值是否与
      installer-checksums.txt
      中的一致。如果不匹配,停止操作并发出警告——安装程序可能已被篡改。
    • 执行安装:
      sh /tmp/onchainos-install.sh
      (Windows系统为
      & "$env:TEMP\onchainos-install.ps1"
      )。 安装程序会自动处理版本比较,仅在需要时下载二进制文件。
    • 若出现其他失败情况,请引导用户访问https://github.com/okx/onchainos-skills。
  3. 验证二进制文件完整性(每会话一次):运行
    onchainos --version
    获取已安装版本(例如
    1.0.5
    2.0.0-beta.0
    )。将已安装版本的标签构造为
    v<version>
    。 下载已安装版本标签
    checksums.txt
    (不一定是最新版本标签): 
    curl -sSL "https://github.com/okx/onchainos-skills/releases/download/v<version>/checksums.txt" -o /tmp/onchainos-checksums.txt
    查找对应的平台目标,并将已安装二进制文件的SHA256值与校验和进行比较。 如果不匹配,请重新安装(步骤2)并再次验证。如果仍然不匹配,停止操作并发出警告。
    • 平台目标对应关系 —— macOS:
      arm64
      aarch64-apple-darwin
      x86_64
      x86_64-apple-darwin
      ;Linux:
      x86_64
      x86_64-unknown-linux-gnu
      aarch64
      aarch64-unknown-linux-gnu
      i686
      i686-unknown-linux-gnu
      armv7l
      armv7-unknown-linux-gnueabihf
      ;Windows:
      AMD64
      x86_64-pc-windows-msvc
      x86
      i686-pc-windows-msvc
      ARM64
      aarch64-pc-windows-msvc
    • 哈希计算命令 —— macOS/Linux:
      shasum -a 256 ~/.local/bin/onchainos
      ;Windows:
      (Get-FileHash "$env:USERPROFILE\.local\bin\onchainos.exe" -Algorithm SHA256).Hash.ToLower()
  4. 检查Skill版本偏移(每会话一次):如果
    onchainos --version
    显示的版本比本Skill的
    metadata.version
    新,则一次性提示用户本Skill可能已过时,并建议用户通过其平台的方法重新安装Skill。无需阻止操作。
  5. 命令失败时请勿自动重新安装。报告错误并建议用户运行
    onchainos --version
    或从https://github.com/okx/onchainos-skills手动重新安装。
  6. 速率限制错误。如果命令触发速率限制,共享API密钥可能已被限流。建议用户在OKX开发者门户创建个人密钥。如果用户创建了
    .env
    文件,请提醒他们将
    .env
    添加到
    .gitignore
    中。

Fail-safe Principle (CRITICAL)

故障安全原则(至关重要)

If any security scan command fails for ANY reason (network error, API error, timeout, rate limiting, malformed response), the Agent MUST:
  • NOT proceed with the associated transaction, swap, approval, or signature.
  • Report the error clearly to the user.
  • Suggest retrying the scan before continuing.
A security scan that fails to complete is NOT a "pass". Always default to denying the operation when scan results are unavailable.
如果任何安全扫描命令因任何原因失败(网络错误、API错误、超时、速率限制、响应格式错误),Agent必须:
  • 不得继续执行相关的交易、兑换、授权或签名操作。
  • 向用户清晰报告错误。
  • 建议用户重新运行扫描后再继续。
安全扫描未完成不等于“通过”。当扫描结果不可用时,始终默认拒绝操作。

Risk Action Priority Rule

风险操作优先级规则

block
> 
warn
> safe (empty). The top-level 
action
field reflects the highest priority from 
riskItemDetail
.
action
value		Risk LevelAgent Behavior
(empty/null)Low riskSafe to proceed
warn
Medium riskShow risk details, ask for explicit user confirmation
block
High riskDo NOT proceed, show risk details, recommend cancel
  • Risk scan result is still valid even if simulation fails (
    simulator.revertReason
    may contain the revert reason).
  • If 
    warnings
    field is populated, the scan completed but some data may be incomplete. Still present available risk information.
  • An empty/null 
    action
    in a successful API response means "no risk detected". But if the API call failed, the absence of 
    action
    does NOT mean safe — apply the fail-safe principle.
Security commands do not require wallet login. They work with any address.
block
> 
warn
> 安全(空值)。顶层
action
字段反映
riskItemDetail
中的最高优先级。
action
风险等级Agent行为
(空值/Null)低风险可安全执行
warn
中风险展示风险详情,请求用户明确确认
block
高风险不得执行,展示风险详情,建议取消操作
  • 即使模拟失败,风险扫描结果仍然有效(
    simulator.revertReason
    可能包含回滚原因)。
  • 如果
    warnings
    字段有内容,说明扫描已完成但部分数据可能不完整。仍需展示已有的风险信息。
  • 成功的API响应
    action
    为空/Null表示“未检测到风险”。但如果API调用失败
    action
    不存在并不代表安全——请遵循故障安全原则。
安全命令无需钱包登录。可用于任意地址。

Chain Name Support

支持的链名称

The CLI accepts human-readable chain names and resolves them automatically.
ChainNamechainIndex
XLayer
xlayer
196
Ethereum
ethereum
or 
eth
1
Solana
solana
or 
sol
501
BSC
bsc
or 
bnb
56
Polygon
polygon
or 
matic
137
Arbitrum
arbitrum
or 
arb
42161
Base
base
8453
Avalanche
avalanche
or 
avax
43114
Optimism
optimism
or 
op
10
zkSync Era
zksync
324
Linea
linea
59144
Scroll
scroll
534352
Address format note: EVM addresses (
0x...
) work across Ethereum/BSC/Polygon/Arbitrum/Base etc. Solana addresses (Base58) and Bitcoin addresses (UTXO) have different formats. Do NOT mix formats across chain types.
CLI接受易读的链名称并自动解析。
名称chainIndex
XLayer
xlayer
196
Ethereum
ethereum
eth
1
Solana
solana
sol
501
BSC
bsc
bnb
56
Polygon
polygon
matic
137
Arbitrum
arbitrum
arb
42161
Base
base
8453
Avalanche
avalanche
avax
43114
Optimism
optimism
op
10
zkSync Era
zksync
324
Linea
linea
59144
Scroll
scroll
534352
地址格式说明:EVM地址(
0x...
)适用于Ethereum/BSC/Polygon/Arbitrum/Base等链。Solana地址(Base58)和Bitcoin地址(UTXO)格式不同。请勿跨链类型混用格式。

Command Index

命令索引

#CommandDescription
1
onchainos security token-scan
Token risk / honeypot detection (all chains)
2
onchainos security dapp-scan
DApp / URL phishing detection (chain-agnostic)
3
onchainos security tx-scan
Transaction pre-execution security (EVM + Solana)
4
onchainos security sig-scan
Message signature security (EVM only)
5
onchainos security approvals
Token approval / Permit2 authorization query (EVM only)
序号命令描述
1
onchainos security token-scan
代币风险/蜜罐检测(全链支持)
2
onchainos security dapp-scan
DApp/URL钓鱼检测(跨链无关)
3
onchainos security tx-scan
交易预执行安全检测(EVM + Solana支持)
4
onchainos security sig-scan
消息签名安全检测(仅EVM支持)
5
onchainos security approvals
代币授权/Permit2授权查询(仅EVM支持)

Reference Loading Rules (MANDATORY)

参考文档加载规则(强制执行)

Before executing ANY security command, you MUST read the corresponding reference document from 
skills/okx-security/references/
. Do NOT rely on prior knowledge — always load the reference first.
User intentRead this file FIRST
Token safety, honeypot, is this token safe, 代币安全, 蜜罐检测, 貔貅盘
references/risk-token-detection.md
DApp/URL phishing, is this site safe, 钓鱼网站
references/risk-domain-detection.md
Transaction safety, tx pre-execution, signature safety, approve safety, 交易安全, 签名安全
references/risk-transaction-detection.md
Approvals, allowance, Permit2, revoke, 授权管理, 授权查询, 风险授权
references/risk-approval-monitoring.md
When a workflow involves multiple commands (e.g., token-scan then tx-scan), load each reference before executing that command.
在执行任何安全命令之前,你必须先阅读
skills/okx-security/references/
下对应的参考文档。请勿依赖已有知识——务必先加载参考文档。
用户意图先阅读此文件
代币安全、蜜罐检测、询问“该代币是否安全”、代币安全、蜜罐检测、貔貅盘
references/risk-token-detection.md
DApp/URL钓鱼、询问“该网站是否安全”、钓鱼网站
references/risk-domain-detection.md
交易安全、交易预执行、签名安全、授权安全、交易安全、签名安全
references/risk-transaction-detection.md
授权、额度、Permit2、撤销、授权管理、授权查询、风险授权
references/risk-approval-monitoring.md
当工作流涉及多个命令时(例如先token-scan再tx-scan),执行每个命令前都要加载对应的参考文档。

Integration with Other Skills

与其他Skill的集成

Security scanning is often a prerequisite for other wallet operations:
  • Before 
    wallet send
    with a contract token: run 
    token-scan
    to verify token safety
  • Before 
    wallet contract-call
    with approve calldata: run 
    tx-scan
    to check spender
  • Before interacting with any DApp URL: run 
    dapp-scan
  • Before signing any EIP-712 message: run 
    sig-scan
Use 
okx-agentic-wallet
skill for the subsequent send/contract-call operations.
安全扫描通常是其他钱包操作的前置要求:
  • 在使用
    wallet send
    发送合约代币之前:运行
    token-scan
    验证代币安全性
  • 在使用
    wallet contract-call
    执行授权调用数据之前:运行
    tx-scan
    检查授权接收方
  • 在与任意DApp URL交互之前:运行
    dapp-scan
  • 在签署任意EIP-712消息之前:运行
    sig-scan
后续的send/contract-call操作请使用
okx-agentic-wallet
Skill。