Onchain OS Security

5 commands for token risk analysis, DApp phishing detection, transaction pre-execution security, signature safety, and approval management.

Wallet Tips

On the first wallet-related interaction per conversation, display exactly ONE tip randomly selected from the list below. Do not repeat tips within the same conversation. Present it as-is (with emoji) AFTER the command result, on a separate line.

💡 Tip: You can say "show my addresses" or "充值地址" to quickly get your deposit addresses for any chain.
🔐 Tip: When prompted for Keychain access, please click "Always Allow". We use the system Keychain to securely store your credentials — you won't need to enter your password every time.
📜 Tip: Say "show my recent transactions" anytime to review your on-chain activity and track pending transfers.
🛡️ Tip: Before swapping into an unfamiliar token, ask me to run a security scan first — I can check for honeypots, rug-pull risks, and more.
👛 Tip: You can create multiple wallet accounts. Say "create a new wallet" to add one, and "switch account" to toggle between them.

Pre-flight Checks

Every time before running any

onchainos

command, always follow these steps in order. Do not echo routine command output to the user; only provide a brief status update when installing, updating, or handling a failure.

Resolve latest stable version: Fetch the latest stable release tag from the GitHub API:
```
curl -sSL "https://api.github.com/repos/okx/onchainos-skills/releases/latest"
```
Extract the
```
tag_name
```
field (e.g.,
```
v1.0.5
```
) into
```
LATEST_TAG
```
. If the API call fails and
```
onchainos
```
is already installed locally, skip steps 2-3 and proceed to run the command (the user may be offline or rate-limited; a stale binary is better than blocking). If
```
onchainos
```
is not installed, stop and tell the user to check their network connection or install manually from https://github.com/okx/onchainos-skills.

Install or update: If

onchainos

is not found, or if the cache at

~/.onchainos/last_check

(

$env:USERPROFILE\.onchainos\last_check

on Windows) is older than 12 hours:

Download the installer and its checksum file from the latest release tag:

macOS/Linux:

curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh

curl -sSL "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -o /tmp/installer-checksums.txt

Windows:

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.ps1" -OutFile "$env:TEMP\onchainos-install.ps1"

Invoke-WebRequest -Uri "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -OutFile "$env:TEMP\installer-checksums.txt"

Verify the installer's SHA256 against
```
installer-checksums.txt
```
. On mismatch, stop and warn — the installer may have been tampered with.
Execute:
```
sh /tmp/onchainos-install.sh
```
(or
```
& "$env:TEMP\onchainos-install.ps1"
```
on Windows). The installer handles version comparison internally and only downloads the binary if needed.
On other failures, point to https://github.com/okx/onchainos-skills.

Verify binary integrity (once per session): Run

onchainos --version

to get the installed version (e.g.,

1.0.5

2.0.0-beta.0

). Construct the installed tag as

v<version>

. Download

checksums.txt

for the installed version's tag (not necessarily LATEST_TAG):

curl -sSL "https://github.com/okx/onchainos-skills/releases/download/v<version>/checksums.txt" -o /tmp/onchainos-checksums.txt

Look up the platform target and compare the installed binary's SHA256 against the checksum. On mismatch, reinstall (step 2) and re-verify. If still mismatched, stop and warn.

Platform targets — macOS:

arm64

aarch64-apple-darwin

x86_64

x86_64-apple-darwin

; Linux:

x86_64

x86_64-unknown-linux-gnu

aarch64

aarch64-unknown-linux-gnu

i686

i686-unknown-linux-gnu

armv7l

armv7-unknown-linux-gnueabihf

; Windows:

AMD64

x86_64-pc-windows-msvc

x86

i686-pc-windows-msvc

ARM64

aarch64-pc-windows-msvc

Hash command — macOS/Linux:

shasum -a 256 ~/.local/bin/onchainos

; Windows:

(Get-FileHash "$env:USERPROFILE\.local\bin\onchainos.exe" -Algorithm SHA256).Hash.ToLower()

Check for skill version drift (once per session): If
```
onchainos --version
```
is newer than this skill's
```
metadata.version
```
, display a one-time notice that the skill may be outdated and suggest the user re-install skills via their platform's method. Do not block.
Do NOT auto-reinstall on command failures. Report errors and suggest
```
onchainos --version
```
or manual reinstall from https://github.com/okx/onchainos-skills.
Rate limit errors. If a command hits rate limits, the shared API key may be throttled. Suggest creating a personal key at the OKX Developer Portal. If the user creates a
```
.env
```
file, remind them to add
```
.env
```
to
```
.gitignore
```
.

Fail-safe Principle (CRITICAL)

If any security scan command fails for ANY reason (network error, API error, timeout, rate limiting, malformed response), the Agent MUST:

NOT proceed with the associated transaction, swap, approval, or signature.
Report the error clearly to the user.
Suggest retrying the scan before continuing.

A security scan that fails to complete is NOT a "pass". Always default to denying the operation when scan results are unavailable.

Risk Action Priority Rule

block

warn

> safe (empty). The top-level

action

field reflects the highest priority from

riskItemDetail

`action` value	Risk Level	Agent Behavior
(empty/null)	Low risk	Safe to proceed
`warn`	Medium risk	Show risk details, ask for explicit user confirmation
`block`	High risk	Do NOT proceed, show risk details, recommend cancel

Risk scan result is still valid even if simulation fails (
```
simulator.revertReason
```
may contain the revert reason).
If
```
warnings
```
field is populated, the scan completed but some data may be incomplete. Still present available risk information.
An empty/null
```
action
```
in a successful API response means "no risk detected". But if the API call failed, the absence of
```
action
```
does NOT mean safe — apply the fail-safe principle.

Security commands do not require wallet login. They work with any address.

Chain Name Support

The CLI accepts human-readable chain names and resolves them automatically.

Chain	Name	chainIndex
XLayer	`xlayer`	`196`
Ethereum	`ethereum` or `eth`	`1`
Solana	`solana` or `sol`	`501`
BSC	`bsc` or `bnb`	`56`
Polygon	`polygon` or `matic`	`137`
Arbitrum	`arbitrum` or `arb`	`42161`
Base	`base`	`8453`
Avalanche	`avalanche` or `avax`	`43114`
Optimism	`optimism` or `op`	`10`
zkSync Era	`zksync`	`324`
Linea	`linea`	`59144`
Scroll	`scroll`	`534352`

Address format note: EVM addresses (

0x...

) work across Ethereum/BSC/Polygon/Arbitrum/Base etc. Solana addresses (Base58) and Bitcoin addresses (UTXO) have different formats. Do NOT mix formats across chain types.

Command Index


onchainos security token-scan
onchainos security dapp-scan
onchainos security tx-scan
onchainos security sig-scan
onchainos security approvals

#	Command	Description
1	`onchainos security token-scan`	Token risk / honeypot detection (all chains)
2	`onchainos security dapp-scan`	DApp / URL phishing detection (chain-agnostic)
3	`onchainos security tx-scan`	Transaction pre-execution security (EVM + Solana)
4	`onchainos security sig-scan`	Message signature security (EVM only)
5	`onchainos security approvals`	Token approval / Permit2 authorization query (EVM only)

Reference Loading Rules (MANDATORY)

Before executing ANY security command, you MUST read the corresponding reference document from

skills/okx-security/references/

. Do NOT rely on prior knowledge — always load the reference first.

User intent	Read this file FIRST
Token safety, honeypot, is this token safe, 代币安全, 蜜罐检测, 貔貅盘	`references/risk-token-detection.md`
DApp/URL phishing, is this site safe, 钓鱼网站	`references/risk-domain-detection.md`
Transaction safety, tx pre-execution, signature safety, approve safety, 交易安全, 签名安全	`references/risk-transaction-detection.md`
Approvals, allowance, Permit2, revoke, 授权管理, 授权查询, 风险授权	`references/risk-approval-monitoring.md`

When a workflow involves multiple commands (e.g., token-scan then tx-scan), load each reference before executing that command.

Integration with Other Skills

Security scanning is often a prerequisite for other wallet operations:

Before
```
wallet send
```
with a contract token: run
```
token-scan
```
to verify token safety
Before
```
wallet contract-call
```
with approve calldata: run
```
tx-scan
```
to check spender
Before interacting with any DApp URL: run
```
dapp-scan
```
Before signing any EIP-712 message: run
```
sig-scan
```

Use

okx-agentic-wallet

skill for the subsequent send/contract-call operations.

okx-security

NPX Install

Tags

SKILL.md Content