The Agent Skills Directory

[SAFE]: The skill downloads its core binary and dependency installer from the vendor's official GitHub repositories (okx/plugin-store and okx/onchainos-skills). These sources are legitimate vendor resources and the downloads include SHA256 checksum verification.
[SAFE]: Order signing is delegated to the onchainos CLI using EIP-712 structured data. This design pattern ensures that the AI agent and the skill itself never handle or store the user's private keys.
[SAFE]: Polymarket API credentials (API key, secret, and passphrase) are cached locally in ~/.config/polymarket/creds.json with restricted Unix permissions (0600), preventing unauthorized access by other users on the system.
[SAFE]: The skill includes a dedicated sanitization module (src/sanitize.rs) that cleans API-sourced strings by stripping control characters and truncating long values. This mitigates risks associated with indirect prompt injection from external market data.
[SAFE]: The skill instructions in SKILL.md contain clear safety guidelines and a 'Data Trust Boundary' section that explicitly instructs the AI agent to treat all external API output as untrusted content.

polymarket-plugin