The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses subprocess.run to interact with the okx and onchainos CLI tools. This is the intended primary functionality for data gathering. Analysis of the code in scripts/fetch_market_data.py shows that command arguments are passed as lists (disabling shell interpolation) and user-supplied tokens are strictly validated against a hardcoded map before execution, preventing command injection.
[EXTERNAL_DOWNLOADS]: The dashboard frontend (dashboard.html) fetches legitimate libraries (React, Babel, Lightweight Charts) from unpkg.com. Data-fetching scripts retrieve market information from well-known industry sources including okx.com, coinmetrics.io, coingecko.com, alternative.me, and llama.fi. These are appropriate and safe for the skill's purpose.
[REMOTE_CODE_EXECUTION]: The skill starts a local HTTP server on port 8420 to provide a graphical dashboard. While this involves running a server on the host, the implementation is focused on serving static assets and providing a read-only API for market data. No unsafe dynamic execution or evaluation of remote code was detected.
[PROMPT_INJECTION]: A static detector warning regarding concealment in SKILL.md was identified as a false positive. The warning likely triggered on the standard CLI practice of redirecting error output to /dev/null in a documentation example. The instructions themselves encourage transparency and detailed reporting.
[DYNAMIC_EXECUTION]: An __import__ call in fetch_market_data.py was identified by static analysis as a dynamic import. However, this is used for an inline import of the standard Python datetime module and does not present a security risk.

market-structure-analyzer