opentrade-dex-swap

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.95). These URLs point to an unknown GitHub repo and a custom .io site and include a direct raw .sh installer (curl | sh), which is a high‑risk pattern for malware/credential theft because it fetches and executes arbitrary code from an untrusted source.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to call the public "opentrade trade routers" API and "extract router and version from the response" (Router Discovery section) and also instructs fetching an installer via curl from raw.githubusercontent.com, meaning it ingests untrusted public third‑party content which is then used to determine subsequent tool flags and control flow (e.g., which trader/API version to use, blocking on isHoneyPot/priceImpact), creating a clear vector for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs at runtime to run and re-run a remote install script via curl -sSL https://raw.githubusercontent.com/6551Team/openskills/main/skills/opentrade/install.sh | sh which fetches and immediately executes remote code and is used as a required installer, creating a high-risk dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto DEX aggregator designed to perform token swaps and produce/send transactions. It defines commands for quoting, approving ERC‑20 tokens, generating swap transaction calldata (opentrade swap swap → tx.data, tx.from, tx.to, tx.value, minReceiveAmount, etc.), and describes user signing + broadcasting via opentrade-gateway (opentrade gateway broadcast --signed-tx). It handles wallets, slippage, approvals, and cross‑chain swaps across many blockchains. These are explicit crypto/financial execution capabilities (wallets, swaps, signing/broadcasting transactions), not generic tooling.