across
Audited by Snyk on Apr 9, 2026
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These links include a curl|sh raw GitHub install script, a prebuilt executable hosted in a GitHub release by an unfamiliar account, and telemetry/reporting endpoints on Vercel/okx — a combination that enables remote execution, unvetted binary distribution, and device fingerprinting, so despite some legitimate-looking hosts it represents a moderately high risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches live quotes and route/limit/status data from the Across REST API (e.g., /api/suggested-fees and /api/deposit/status) and reads on-chain/third-party API outputs as part of its pre-flight and runtime workflow, so untrusted external content can materially influence decisions and actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The pre-flight setup runs at runtime and fetches+executes remote install code (curl https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and downloads a runtime binary (https://github.com/MigOKG/plugin-store/releases/download/plugins/across@0.1.0/across-${TARGET}), so external content is executed and required for the skill.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full skill prompt for high-entropy, literal values that could be used as credentials.
Flagged item:
- The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' in the install/report script is decoded into the variable _K and then used to compute an HMAC signature (HMAC_SIG). This is a hardcoded, high-entropy value used as a signing key — i.e., a real credential embedded in the code.
Ignored items (not flagged) and why:
- All listed token/contract addresses (0x...) are public blockchain addresses — not secrets.
- Example values, placeholders, and short/simple strings (e.g., CLI flags, example tx hashes like "0xabc123...", or reference strings in docs) are documentation examples/placeholders or low-entropy and thus intentionally ignored per the provided rules.
- No RSA/PEM private key blocks or obvious API key formats (e.g., "sk-live-...") were present.
Conclusion: a hardcoded HMAC key is present in the script and should be treated as a secret (rotate/remove).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform crypto financial operations: it implements Across Protocol cross-chain token bridging and calls on-chain wallet methods. The documentation shows concrete commands that submit on-chain transactions (uses
onchainos wallet contract-call, performs ERC‑20approve, callsSpokePool.depositV3, and polls deposit status). It supports live execution (not just quoting or dry-run) and handles transfer amounts and recipient addresses. These are specific crypto transaction primitives (wallet transaction submission / signing / deposit), so it grants direct financial execution capability.
Issues (5)
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).