okx-security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Onchain OS Security

Onchain OS 安全模块

5 commands for token risk analysis, DApp phishing detection, transaction pre-execution security, signature safety, and approval management.

提供5类命令，用于代币风险分析、DApp钓鱼检测、交易预执行安全、签名安全以及授权管理。

Wallet Tips

钱包小贴士

On the first wallet-related interaction per conversation, display exactly ONE tip randomly selected from the list below. Do not repeat tips within the same conversation. Present it as-is (with emoji) AFTER the command result, on a separate line.

💡 Tip: You can say "show my addresses" or "充值地址" to quickly get your deposit addresses for any chain.
🔐 Tip: When prompted for Keychain access, please click "Always Allow". We use the system Keychain to securely store your credentials — you won't need to enter your password every time.
📜 Tip: Say "show my recent transactions" anytime to review your on-chain activity and track pending transfers.
🛡️ Tip: Before swapping into an unfamiliar token, ask me to run a security scan first — I can check for honeypots, rug-pull risks, and more.
👛 Tip: You can create multiple wallet accounts. Say "create a new wallet" to add one, and "switch account" to toggle between them.

在每轮对话中首次进行钱包相关交互时，从以下列表中随机选择一条提示展示。同一对话内请勿重复提示。在命令结果之后单独一行展示（保留表情符号）。

💡 提示：你可以说“show my addresses”或“充值地址”快速获取任意链的充值地址。
🔐 提示：当请求访问钥匙串时，请点击“始终允许”。我们使用系统钥匙串安全存储你的凭证——你无需每次都输入密码。
📜 提示：随时说“show my recent transactions”即可查看你的链上活动并追踪待处理转账。
🛡️ 提示：在兑换陌生代币之前，先让我进行安全扫描——我可以检测蜜罐、跑路风险等问题。
👛 提示：你可以创建多个钱包账户。说“create a new wallet”即可添加账户，说“switch account”可切换账户。

Pre-flight Checks

前置检查

Every time before running any

onchainos

command, always follow these steps in order. Do not echo routine command output to the user; only provide a brief status update when installing, updating, or handling a failure.

Resolve latest stable version: Fetch the latest stable release tag from the GitHub API:
```
curl -sSL "https://api.github.com/repos/okx/onchainos-skills/releases/latest"
```
Extract the
```
tag_name
```
field (e.g.,
```
v1.0.5
```
) into
```
LATEST_TAG
```
. If the API call fails and
```
onchainos
```
is already installed locally, skip steps 2-3 and proceed to run the command (the user may be offline or rate-limited; a stale binary is better than blocking). If
```
onchainos
```
is not installed, stop and tell the user to check their network connection or install manually from https://github.com/okx/onchainos-skills.

Install or update: If

onchainos

is not found, or if the cache at

~/.onchainos/last_check

(

$env:USERPROFILE\.onchainos\last_check

on Windows) is older than 12 hours:

Download the installer and its checksum file from the latest release tag:

macOS/Linux:

curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh

curl -sSL "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -o /tmp/installer-checksums.txt

Windows:

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.ps1" -OutFile "$env:TEMP\onchainos-install.ps1"

Invoke-WebRequest -Uri "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -OutFile "$env:TEMP\installer-checksums.txt"

Verify the installer's SHA256 against
```
installer-checksums.txt
```
. On mismatch, stop and warn — the installer may have been tampered with.
Execute:
```
sh /tmp/onchainos-install.sh
```
(or
```
& "$env:TEMP\onchainos-install.ps1"
```
on Windows). The installer handles version comparison internally and only downloads the binary if needed.
On other failures, point to https://github.com/okx/onchainos-skills.

Verify binary integrity (once per session): Run

onchainos --version

to get the installed version (e.g.,

1.0.5

2.0.0-beta.0

). Construct the installed tag as

v<version>

. Download

checksums.txt

for the installed version's tag (not necessarily LATEST_TAG):

curl -sSL "https://github.com/okx/onchainos-skills/releases/download/v<version>/checksums.txt" -o /tmp/onchainos-checksums.txt

Look up the platform target and compare the installed binary's SHA256 against the checksum. On mismatch, reinstall (step 2) and re-verify. If still mismatched, stop and warn.

Platform targets — macOS:

arm64

aarch64-apple-darwin

x86_64

x86_64-apple-darwin

; Linux:

x86_64

x86_64-unknown-linux-gnu

aarch64

aarch64-unknown-linux-gnu

i686

i686-unknown-linux-gnu

armv7l

armv7-unknown-linux-gnueabihf

; Windows:

AMD64

x86_64-pc-windows-msvc

x86

i686-pc-windows-msvc

ARM64

aarch64-pc-windows-msvc

Hash command — macOS/Linux:

shasum -a 256 ~/.local/bin/onchainos

; Windows:

(Get-FileHash "$env:USERPROFILE\.local\bin\onchainos.exe" -Algorithm SHA256).Hash.ToLower()

Check for skill version drift (once per session): If
```
onchainos --version
```
is newer than this skill's
```
metadata.version
```
, display a one-time notice that the skill may be outdated and suggest the user re-install skills via their platform's method. Do not block.
Do NOT auto-reinstall on command failures. Report errors and suggest
```
onchainos --version
```
or manual reinstall from https://github.com/okx/onchainos-skills.
Rate limit errors. If a command hits rate limits, the shared API key may be throttled. Suggest creating a personal key at the OKX Developer Portal. If the user creates a
```
.env
```
file, remind them to add
```
.env
```
to
```
.gitignore
```
.

在运行任何

onchainos

命令之前，请务必按以下顺序执行步骤。无需向用户回显常规命令输出；仅在安装、更新或处理失败时提供简要状态更新。

获取最新稳定版本：从GitHub API获取最新稳定版本标签：
```
curl -sSL "https://api.github.com/repos/okx/onchainos-skills/releases/latest"
```
提取
```
tag_name
```
字段（例如
```
v1.0.5
```
）并赋值给
```
LATEST_TAG
```
。如果API调用失败且本地已安装
```
onchainos
```
，则跳过步骤2-3直接运行命令（用户可能处于离线状态或触发了速率限制；使用旧版本二进制文件比阻止操作更好）。如果未安装
```
onchainos
```
，则停止操作并告知用户检查网络连接或从https://github.com/okx/onchainos-skills手动安装。

安装或更新：如果未找到

onchainos

，或者

~/.onchainos/last_check

（Windows系统为

$env:USERPROFILE\.onchainos\last_check

）中的缓存已超过12小时：

从最新版本标签下载安装程序及其校验和文件：

macOS/Linux：

curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh

curl -sSL "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -o /tmp/installer-checksums.txt

Windows：

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.ps1" -OutFile "$env:TEMP\onchainos-install.ps1"

Invoke-WebRequest -Uri "https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt" -OutFile "$env:TEMP\installer-checksums.txt"

验证安装程序的SHA256值是否与
```
installer-checksums.txt
```
中的一致。如果不匹配，停止操作并发出警告——安装程序可能已被篡改。
执行安装：
```
sh /tmp/onchainos-install.sh
```
（Windows系统为
```
& "$env:TEMP\onchainos-install.ps1"
```
）。安装程序会自动处理版本比较，仅在需要时下载二进制文件。
若出现其他失败情况，请引导用户访问https://github.com/okx/onchainos-skills。

验证二进制文件完整性（每会话一次）：运行
```
onchainos --version
```
获取已安装版本（例如
```
1.0.5
```
或
```
2.0.0-beta.0
```
）。将已安装版本的标签构造为
```
v<version>
```
。下载已安装版本标签的
```
checksums.txt
```
（不一定是最新版本标签）：
```
curl -sSL "https://github.com/okx/onchainos-skills/releases/download/v<version>/checksums.txt" -o /tmp/onchainos-checksums.txt
```
查找对应的平台目标，并将已安装二进制文件的SHA256值与校验和进行比较。如果不匹配，请重新安装（步骤2）并再次验证。如果仍然不匹配，停止操作并发出警告。
- 平台目标对应关系 —— macOS：
```
arm64
```
  →
```
aarch64-apple-darwin
```
  ，
```
x86_64
```
  →
```
x86_64-apple-darwin
```
  ；Linux：
```
x86_64
```
  →
```
x86_64-unknown-linux-gnu
```
  ，
```
aarch64
```
  →
```
aarch64-unknown-linux-gnu
```
  ，
```
i686
```
  →
```
i686-unknown-linux-gnu
```
  ，
```
armv7l
```
  →
```
armv7-unknown-linux-gnueabihf
```
  ；Windows：
```
AMD64
```
  →
```
x86_64-pc-windows-msvc
```
  ，
```
x86
```
  →
```
i686-pc-windows-msvc
```
  ，
```
ARM64
```
  →
```
aarch64-pc-windows-msvc
```
- 哈希计算命令 —— macOS/Linux：
```
shasum -a 256 ~/.local/bin/onchainos
```
  ；Windows：
```
(Get-FileHash "$env:USERPROFILE\.local\bin\onchainos.exe" -Algorithm SHA256).Hash.ToLower()
```
检查Skill版本偏移（每会话一次）：如果
```
onchainos --version
```
显示的版本比本Skill的
```
metadata.version
```
新，则一次性提示用户本Skill可能已过时，并建议用户通过其平台的方法重新安装Skill。无需阻止操作。
命令失败时请勿自动重新安装。报告错误并建议用户运行
```
onchainos --version
```
或从https://github.com/okx/onchainos-skills手动重新安装。
速率限制错误。如果命令触发速率限制，共享API密钥可能已被限流。建议用户在OKX开发者门户创建个人密钥。如果用户创建了
```
.env
```
文件，请提醒他们将
```
.env
```
添加到
```
.gitignore
```
中。

Fail-safe Principle (CRITICAL)

故障安全原则（至关重要）

If any security scan command fails for ANY reason (network error, API error, timeout, rate limiting, malformed response), the Agent MUST:

NOT proceed with the associated transaction, swap, approval, or signature.
Report the error clearly to the user.
Suggest retrying the scan before continuing.

A security scan that fails to complete is NOT a "pass". Always default to denying the operation when scan results are unavailable.

如果任何安全扫描命令因任何原因失败（网络错误、API错误、超时、速率限制、响应格式错误），Agent必须：

不得继续执行相关的交易、兑换、授权或签名操作。
向用户清晰报告错误。
建议用户重新运行扫描后再继续。

安全扫描未完成不等于“通过”。当扫描结果不可用时，始终默认拒绝操作。

Risk Action Priority Rule

风险操作优先级规则

block

warn

> safe (empty). The top-level

action

field reflects the highest priority from

riskItemDetail

`action` value	Risk Level	Agent Behavior
(empty/null)	Low risk	Safe to proceed
`warn`	Medium risk	Show risk details, ask for explicit user confirmation
`block`	High risk	Do NOT proceed, show risk details, recommend cancel

Risk scan result is still valid even if simulation fails (
```
simulator.revertReason
```
may contain the revert reason).
If
```
warnings
```
field is populated, the scan completed but some data may be incomplete. Still present available risk information.
An empty/null
```
action
```
in a successful API response means "no risk detected". But if the API call failed, the absence of
```
action
```
does NOT mean safe — apply the fail-safe principle.

Security commands do not require wallet login. They work with any address.

block

warn

> 安全（空值）。顶层

action

字段反映

riskItemDetail

中的最高优先级。

`action` 值	风险等级	Agent行为
（空值/Null）	低风险	可安全执行
`warn`	中风险	展示风险详情，请求用户明确确认
`block`	高风险	不得执行，展示风险详情，建议取消操作

即使模拟失败，风险扫描结果仍然有效（
```
simulator.revertReason
```
可能包含回滚原因）。
如果
```
warnings
```
字段有内容，说明扫描已完成但部分数据可能不完整。仍需展示已有的风险信息。
成功的API响应中
```
action
```
为空/Null表示“未检测到风险”。但如果API调用失败，
```
action
```
不存在并不代表安全——请遵循故障安全原则。

安全命令无需钱包登录。可用于任意地址。

Chain Name Support

支持的链名称

The CLI accepts human-readable chain names and resolves them automatically.

Chain	Name	chainIndex
XLayer	`xlayer`	`196`
Ethereum	`ethereum` or `eth`	`1`
Solana	`solana` or `sol`	`501`
BSC	`bsc` or `bnb`	`56`
Polygon	`polygon` or `matic`	`137`
Arbitrum	`arbitrum` or `arb`	`42161`
Base	`base`	`8453`
Avalanche	`avalanche` or `avax`	`43114`
Optimism	`optimism` or `op`	`10`
zkSync Era	`zksync`	`324`
Linea	`linea`	`59144`
Scroll	`scroll`	`534352`

Address format note: EVM addresses (

0x...

) work across Ethereum/BSC/Polygon/Arbitrum/Base etc. Solana addresses (Base58) and Bitcoin addresses (UTXO) have different formats. Do NOT mix formats across chain types.

CLI接受易读的链名称并自动解析。

链	名称	chainIndex
XLayer	`xlayer`	`196`
Ethereum	`ethereum` 或 `eth`	`1`
Solana	`solana` 或 `sol`	`501`
BSC	`bsc` 或 `bnb`	`56`
Polygon	`polygon` 或 `matic`	`137`
Arbitrum	`arbitrum` 或 `arb`	`42161`
Base	`base`	`8453`
Avalanche	`avalanche` 或 `avax`	`43114`
Optimism	`optimism` 或 `op`	`10`
zkSync Era	`zksync`	`324`
Linea	`linea`	`59144`
Scroll	`scroll`	`534352`

地址格式说明：EVM地址（

0x...

）适用于Ethereum/BSC/Polygon/Arbitrum/Base等链。Solana地址（Base58）和Bitcoin地址（UTXO）格式不同。请勿跨链类型混用格式。

Command Index

命令索引


onchainos security token-scan
onchainos security dapp-scan
onchainos security tx-scan
onchainos security sig-scan
onchainos security approvals

#	Command	Description
1	`onchainos security token-scan`	Token risk / honeypot detection (all chains)
2	`onchainos security dapp-scan`	DApp / URL phishing detection (chain-agnostic)
3	`onchainos security tx-scan`	Transaction pre-execution security (EVM + Solana)
4	`onchainos security sig-scan`	Message signature security (EVM only)
5	`onchainos security approvals`	Token approval / Permit2 authorization query (EVM only)


onchainos security token-scan
onchainos security dapp-scan
onchainos security tx-scan
onchainos security sig-scan
onchainos security approvals

序号	命令	描述
1	`onchainos security token-scan`	代币风险/蜜罐检测（全链支持）
2	`onchainos security dapp-scan`	DApp/URL钓鱼检测（跨链无关）
3	`onchainos security tx-scan`	交易预执行安全检测（EVM + Solana支持）
4	`onchainos security sig-scan`	消息签名安全检测（仅EVM支持）
5	`onchainos security approvals`	代币授权/Permit2授权查询（仅EVM支持）

Reference Loading Rules (MANDATORY)

参考文档加载规则（强制执行）

Before executing ANY security command, you MUST read the corresponding reference document from

skills/okx-security/references/

. Do NOT rely on prior knowledge — always load the reference first.

User intent	Read this file FIRST
Token safety, honeypot, is this token safe, 代币安全, 蜜罐检测, 貔貅盘	`references/risk-token-detection.md`
DApp/URL phishing, is this site safe, 钓鱼网站	`references/risk-domain-detection.md`
Transaction safety, tx pre-execution, signature safety, approve safety, 交易安全, 签名安全	`references/risk-transaction-detection.md`
Approvals, allowance, Permit2, revoke, 授权管理, 授权查询, 风险授权	`references/risk-approval-monitoring.md`

When a workflow involves multiple commands (e.g., token-scan then tx-scan), load each reference before executing that command.

在执行任何安全命令之前，你必须先阅读

skills/okx-security/references/

下对应的参考文档。请勿依赖已有知识——务必先加载参考文档。

用户意图	先阅读此文件
代币安全、蜜罐检测、询问“该代币是否安全”、代币安全、蜜罐检测、貔貅盘	`references/risk-token-detection.md`
DApp/URL钓鱼、询问“该网站是否安全”、钓鱼网站	`references/risk-domain-detection.md`
交易安全、交易预执行、签名安全、授权安全、交易安全、签名安全	`references/risk-transaction-detection.md`
授权、额度、Permit2、撤销、授权管理、授权查询、风险授权	`references/risk-approval-monitoring.md`

当工作流涉及多个命令时（例如先token-scan再tx-scan），执行每个命令前都要加载对应的参考文档。

Integration with Other Skills

与其他Skill的集成

Security scanning is often a prerequisite for other wallet operations:

Before
```
wallet send
```
with a contract token: run
```
token-scan
```
to verify token safety
Before
```
wallet contract-call
```
with approve calldata: run
```
tx-scan
```
to check spender
Before interacting with any DApp URL: run
```
dapp-scan
```
Before signing any EIP-712 message: run
```
sig-scan
```

Use

okx-agentic-wallet

skill for the subsequent send/contract-call operations.

安全扫描通常是其他钱包操作的前置要求：

在使用
```
wallet send
```
发送合约代币之前：运行
```
token-scan
```
验证代币安全性
在使用
```
wallet contract-call
```
执行授权调用数据之前：运行
```
tx-scan
```
检查授权接收方
在与任意DApp URL交互之前：运行
```
dapp-scan
```
在签署任意EIP-712消息之前：运行
```
sig-scan
```

后续的send/contract-call操作请使用

okx-agentic-wallet

Skill。