submit: go-sol-price v1.0.0

[yz06276]

go-sol-price v1.0.0

This PR submits the go-sol-price plugin at version 1.0.0 for build verification, AI review, and release on mig-pre/plugin-store.

What this PR contains

• New / updated source under skills/go-sol-price/
• plugin.yaml declares version 1.0.0 (and matching language source version, e.g. Cargo.toml)
• No modifications to .github/, registry.json, or marketplace.json — those are auto-generated post-merge by update-registry.yml

Phase expectations

• Phase 1 (Structure) must pass.
• Phase 2 (Build) compiles the binary across 9 cross-platform targets.
• Phase 3 (AI Review) is advisory — not a merge blocker.
• Phase 4 (Publish) runs after maintainer approval and creates the release at plugins/go-sol-price@1.0.0 with all 9 binaries + checksums.txt.

Submitter notes

This PR is the upstream half of a dual-repo publish flow. After merge here, the post-merge tree (with auto-injected pre-flight) is mirrored to okx/plugin-store via a separate PR, and the release binaries are uploaded byte-identical to okx.

---

Submitted via plugin-store-publish skill.

[github-actions]

🔨 Phase 2: Build Verification — ✅ PASSED

Plugin: go-sol-price | Language: go
Source: @

Compiled from developer source code by our CI. Users install our build artifacts.

Build succeeded. Compiled artifact uploaded as workflow artifact.

---

Source integrity: commit SHA `` is the content fingerprint.

[github-actions]

✅ Phase 1: Structure Validation — PASSED

Linting skills/go-sol-price...


✓ Plugin 'go-sol-price' passed all checks!

→ Proceeding to Phase 2: Build Verification

[github-actions]

📋 Phase 3: AI Code Review Report — Score: 88/100

Plugin: go-sol-price | Recommendation: ✅ Ready to merge

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: claude-opus-4-7 via Anthropic API | Cost: ~345677+4463 tokens

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

1. Plugin Overview

Field	Value
Name	go-sol-price
Version	1.0.0
Category	analytics
Author	yz06276 (yz06276)
License	MIT
Has Binary	Yes (with build config)
Risk Level	Low

Summary: A minimal Go CLI that queries OKX's public spot ticker API and prints the current SOL/USDT price. No authentication required, no on-chain operations, no third-party Go dependencies.

Target Users: Developers and traders who want a quick CLI tool to check SOL spot price without setting up API keys or browser-based interfaces.

2. Architecture Analysis

Components:

• Skill (SKILL.md, SUMMARY.md)
• Binary (Go source: main.go, go.mod)

Skill Structure:
SKILL.md is concise (~30 lines) with sections: When to use, Usage, How it works, Limitations. No reference docs subdirectory. Trigger keywords cover English and Chinese phrasing.

Data Flow:

1. CLI invocation → HTTP GET to https://www.okx.com/api/v5/market/ticker?instId=SOL-USDT
2. Parse JSON response, extract data[0].last
3. Print formatted price to stdout
4. Exit non-zero on error

Dependencies:

• Go stdlib only (encoding/json, net/http, fmt, os, time)
• No third-party Go modules
• External: OKX public ticker API

3. Auto-Detected Permissions

onchainos Commands Used

Command Found	Exists in onchainos CLI	Risk Level	Context
(none)	N/A	N/A	Plugin does not use onchainos CLI

Wallet Operations

Operation	Detected?	Where	Risk
Read balance	No	—	Low
Send transaction	No	—	High
Sign message	No	—	High
Contract call	No	—	High

External APIs / URLs

URL / Domain	Purpose	Risk
https://www.okx.com/api/v5/market/ticker	Fetch SOL/USDT spot price (public, no auth)	Low

Chains Operated On

None directly — fetches off-chain CEX ticker data only. SOL is referenced by name but no on-chain interaction occurs.

Overall Permission Summary

This plugin makes a single read-only HTTPS call to OKX's public ticker endpoint, parses the response, and prints a price string. It does not access wallets, sign anything, broadcast transactions, read sensitive paths, or persist data. Risk is minimal — equivalent to a curl | jq shell snippet wrapped in a Go binary.

4. onchainos API Compliance

Does this plugin use onchainos CLI for all on-chain write operations?

N/A — plugin performs no on-chain operations.

On-Chain Write Operations (MUST use onchainos)

Operation	Uses onchainos?	Self-implements?	Detail
Wallet signing	N/A	No	No signing
Transaction broadcasting	N/A	No	No broadcasting
DEX swap execution	N/A	No	Read-only price query
Token approval	N/A	No	None
Contract calls	N/A	No	None
Token transfers	N/A	No	None

Data Queries (allowed to use external sources)

Data Source	API/Service Used	Purpose
OKX public ticker API	https://www.okx.com/api/v5/market/ticker	Spot price lookup

External APIs / Libraries Detected

• OKX public ticker REST endpoint (no auth, no API key)
• Go stdlib net/http for HTTPS GET

Verdict: ✅ Fully Compliant

Plugin performs no on-chain write operations. Read-only data query against a public CEX endpoint is explicitly allowed.

5. Security Assessment

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

Rule ID	Severity	Title	Matched?	Detail
M03	MEDIUM	third-party-content	⚠️ (downgraded INFO)	client.Get(apiURL) fetches external content. However, the response is parsed into typed Go structs (only code, msg, instId, last, ts) and only last is printed. No raw response is rendered to LLM context. Risk is negligible.

No other static rules matched.

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Judge	Severity	Detected	Confidence	Evidence
L-PINJ	CRITICAL	No	0.95	No injection patterns; no user input passed to shell
L-MALI	CRITICAL	No	0.95	Behavior matches description exactly — single price fetch
L-MEMA	HIGH	No	0.95	No memory file writes
L-IINJ	INFO	Yes	0.90	External request to OKX ticker; but response is field-filtered before display — INFO only
L-AEXE	INFO	No	0.90	No autonomous execution; single deterministic call
L-FINA	INFO	No (read-only)	0.95	Pure read-only price query — exempt
L-FISO	INFO	N/A	0.90	No financial operation to isolate

Toxic Flow Detection (TF001-TF006)

No toxic flows detected. No direct-financial operations, no credential access, no command injection, no persistence.

Prompt Injection Scan

• No instruction override phrases
• No identity manipulation
• No hidden behavior (no base64, no Unicode escapes, no HTML comments with hidden instructions)
• No confirmation bypass (no privileged operations exist)
• No hidden content

Result: ✅ Clean

Dangerous Operations Check

No transfers, signing, contract calls, or broadcasting. Read-only HTTPS GET only.

Result: ✅ Safe

Data Exfiltration Risk

The only outbound network call is to a fixed, hardcoded public endpoint (www.okx.com/api/v5/market/ticker?instId=SOL-USDT). No environment variables, no file system access, no user input is transmitted. No exfiltration vector.

Result: ✅ No Risk

Overall Security Rating: 🟢 Low Risk

6. Source Code Security

Language & Build Config

• Language: Go 1.22
• Entry point: main.go
• Binary name: go-sol-price
• Module: github.com/okx/plugin-store/skills/go-sol-price

Dependency Analysis

Zero third-party dependencies. go.mod declares no require block beyond the implicit Go stdlib. This is the safest possible dependency posture — no supply chain attack surface.

Code Safety Audit

Check	Result	Detail
Hardcoded secrets (API keys, private keys, mnemonics)	✅	None — public endpoint, no auth
Network requests to undeclared endpoints	✅	Only https://www.okx.com/api/v5/market/ticker (declared in plugin.yaml api_calls)
File system access outside plugin scope	✅	No file I/O
Dynamic code execution (eval, exec, shell commands)	✅	No os/exec, no eval
Environment variable access beyond declared env	✅	No env var reads
Build scripts with side effects (build.rs, postinstall)	✅	Pure go build, no scripts
Unsafe code blocks (Rust) / CGO (Go)	✅ N/A	No import "C", no unsafe

Does SKILL.md accurately describe what the source code does?

Yes. SKILL.md states "Single GET ... parses data[0].last, prints. 10-second timeout, exits non-zero on network or API error." This matches main.go exactly: 10s timeout client, GET request, JSON decode, error handling, prints SOL/USDT: <last>.

Verdict: ✅ Source Safe

7. Code Review

Quality Score: 88/100

Dimension	Score	Notes
Completeness (pre-flight, commands, error handling)	22/25	All paths handled (network error, decode error, API error, non-zero code). No pre-flight needed (no dependencies). Could add retry/backoff, but acceptable for a demo.
Clarity (descriptions, no ambiguity)	23/25	SKILL.md is crisp. Trigger phrases include English + Chinese. Limitations section is honest.
Security Awareness (confirmations, slippage, limits)	25/25	No risky ops to confirm; explicitly notes "read-only — no trading, no signing, no on-chain action"
Skill Routing (defers correctly, no overreach)	14/15	Single-purpose; doesn't claim other capabilities. Could mention okx-dex-market for richer queries but not required.
Formatting (markdown, tables, code blocks)	4/10	SKILL.md is plain prose without command tables; SUMMARY.md is well-structured. Minor — within acceptable bounds for a tiny plugin.

Strengths

• Zero third-party dependencies — minimal supply chain risk
• Read-only, single-endpoint — clear, auditable behavior
• Honest scope statement — limitations section explicitly disclaims trading/signing

Issues Found

• 🔵 Minor: Hardcoded SOL-USDT only — could parametrize via flag (--symbol) for broader utility
• 🔵 Minor: No retry on transient network errors (acceptable for an on-demand CLI)
• 🔵 Minor: SKILL.md could include a small command-reference table for stylistic consistency with other plugins

8. Language Check

File	Language Detected	English?
SKILL.md	English (with brief Chinese trigger examples)	✅
SUMMARY.md	English	✅

Body text is English; Chinese examples are limited to trigger-phrase examples (查 SOL 价格, SOL/USDT 报价) — explicitly allowed for keyword coverage.

9. SUMMARY.md Review

Check	Result
File exists	✅
Written in English	✅
Has Overview section	✅
Has Prerequisites section	✅
Has Quick Start section	✅
Character count ≤ 17,000	✅ 724 chars

11. Recommendations

1. (Minor) Consider adding a --symbol <PAIR> flag to make the CLI useful beyond SOL/USDT (e.g., BTC-USDT, ETH-USDC). Low effort, high utility.
2. (Minor) Add a single-line retry on transient network failures (e.g., one retry after 1s) to improve UX on flaky networks.
3. (Minor) Consider adding a --json output mode for piping to jq/scripts.
4. (Optional) Add a small Commands table to SKILL.md for stylistic alignment with other OKX plugins.

12. Reviewer Summary

One-line verdict: A clean, minimal, read-only Go CLI that queries OKX's public SOL/USDT ticker — zero dependencies, zero on-chain actions, zero security concerns.

Merge recommendation: ✅ Ready to merge

Blockers (if any — list every issue that MUST be fixed before merge, each prefixed with ❌):

No blockers found.

The plugin is a textbook-clean read-only data-query plugin. It uses no third-party dependencies, makes a single hardcoded HTTPS GET to a public endpoint, parses a typed response, and prints one field. There are no wallets, no signing, no broadcasting, no credential access, no file I/O, no shell execution, and no prompt-injection vectors. The skill description matches the code exactly. SUMMARY.md is well under the size limit and complete. Recommended improvements (parametrized symbol, retry, JSON mode) are non-blocking enhancements.

---

Generated by Claude AI via Anthropic API — review the full report before approving.