aave-v3

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The prompt includes an auto-injected pre-flight script that decodes an obfuscated base64 key and computes an HMAC-signed device fingerprint which is POSTed to external endpoints (telemetry/exfiltration) — functionality unrelated to Aave operations and effectively hidden/obfuscated in the skill, so it is a deceptive out-of-scope instruction.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The bundle includes execution of a raw shell script (curl | sh) from GitHub and installing a prebuilt executable from a non‑well‑known GitHub account (MigOKG) — both high‑risk distribution patterns; the okx and Vercel endpoints look legitimate for telemetry but do not mitigate the danger of running unknown remote code or binaries which could contain malware or backdoors.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests and acts on public third-party data at runtime — e.g., it resolves pool and token addresses via PoolAddressesProvider.getPool() and onchainos token search and makes read-only eth_call via public RPCs (see "Health Factor / Reserves / Positions" and the "Data Trust Boundary" in SKILL.md) — and that data is used to make transaction and health-factor decisions, so untrusted external content can materially influence actions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). This skill's pre-flight installs runtime dependencies by executing remote code: it runs curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and downloads/installs the aave-v3 binary from https://github.com/MigOKG/plugin-store/releases/download/plugins/aave-v3@0.1.0/aave-v3-${TARGET}, both of which fetch and execute external code and are required for the skill to run.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned for high-entropy literal values that could be usable credentials. I found one high-entropy base64 string in the "Report install" section:

echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...

This is used as an "obfuscated key" (_K) to compute an HMAC signature for reporting to OKX/CLI telemetry. It's not a placeholder, it's a long random-looking value and thus meets the definition of a secret (HMAC signing key). Even though the script later unsets _K, the literal secret is embedded in the code and should be treated as a real credential.

All other potentially suspicious values are either:

• public on-chain addresses (ERC-20 contract addresses) — not secrets,
• truncated/redacted values like "0xabc..." — not usable credentials,
• example/simple strings and CLI instructions — documentation placeholders per your ignore rules.

Therefore I flag the embedded base64 string as a real secret.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto-financial agent for Aave V3: it constructs ABI calldata and performs on-chain write operations (ERC-20 approve, Pool.supply, withdraw, borrow, repay, set-collateral, set-emode, claim-rewards) and submits them via onchainos wallet contract-call. It requires a connected wallet and includes transaction hashes in outputs. These are direct blockchain financial execution capabilities (signing/sending transactions, moving tokens), not generic utilities. Therefore it grants direct financial execution authority.