opentrade-gateway

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires including user-provided signed transactions verbatim in CLI commands (--signed-tx <signed_transaction_hex>), which forces the LLM to handle and reproduce sensitive secret-like values (and it references an API token in .env even though auth is env-based), creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These links include an instruction to curl and pipe a raw GitHub shell script (install.sh) from an unverified/unknown GitHub account plus an opaque short domain (6551.io) for credentials — downloading and executing remote .sh files without review is a high-risk distribution vector for malware.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to run "opentrade trade routers" and "extract router and version" from the live API response (and to fetch/install code via curl from raw.githubusercontent.com), meaning it ingests public third‑party content (API responses and GitHub raw installer) that is untrusted/user‑generated and that directly determines subsequent command flags and execution flow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly executes a remote installer at runtime via "curl -sSL https://raw.githubusercontent.com/6551Team/openskills/main/skills/opentrade/install.sh | sh", which fetches and runs remote code and is used as the required installer/update mechanism for the opentrade CLI.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to execute blockchain financial operations: it provides commands to estimate gas, simulate transactions, and — critically — broadcast signed transactions to many chains (Ethereum, Solana, BSC, Arbitrum, Polygon, etc.). The "opentrade gateway broadcast --signed-tx ..." command and the described "final mile" workflow (Swap → Broadcast → Track) show it is purpose-built to send on-chain transactions and produce order IDs/tx hashes. Even though it does not sign keys itself, broadcasting signed transactions is a direct financial execution capability for crypto. This meets the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion in the core rule.