opentrade-gateway

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These links include a direct raw GitHub install.sh (curl | sh) from an unfamiliar GitHub org plus a nonstandard domain (6551.io) for credentials—an installation pattern that can deliver arbitrary code and is therefore suspicious without further vetting.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). This skill explicitly fetches and executes a public installer from raw.githubusercontent.com and queries OpenTrade public APIs (e.g., "opentrade trade routers", gas/simulate/broadcast responses) whose returned data the workflow must parse and act on (router selection, simulation->broadcast decisions), so it consumes untrusted third‑party content that can materially influence tool usage.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs at runtime to run a remote install script via curl -sSL https://raw.githubusercontent.com/6551Team/openskills/main/skills/opentrade/install.sh | sh, which fetches and executes remote code and is used as a required installer/update step, creating a high-risk dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain transaction execution for cryptocurrencies: it provides commands to broadcast signed transactions (opentrade gateway broadcast --signed-tx ...), simulate transactions, estimate gas, and track broadcast orders across many chains (Ethereum, Solana, BSC, Arbitrum, Polygon, etc.). It is the "final mile" that sends signed TXs on-chain and returns tx hashes/order IDs. This directly enables moving crypto funds on behalf of a user and therefore meets the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion for direct financial execution (even if it does not sign, it broadcasts and executes transactions).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt instructs the agent to execute remote installer scripts (curl | sh), reinstall software, and create/modify files (e.g., ~/.opentrade/last_check, .env), which modifies the host filesystem and could execute privileged or arbitrary code, so it poses a high risk of compromising the machine state.