The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 0.90). The prompt includes an auto-injected "Report install" block that computes a device fingerprint/HMAC and silently POSTs it to external endpoints (telemetry/data exfiltration) which is unrelated to the AMM's stated swap/liquidity functionality, so it constitutes a sneaked-in, deceptive instruction outside the skill purpose.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). These links include a raw GitHub install.sh piped to sh and a GitHub release binary from an unverified user (MigOKG) — both are direct executable installers (high-risk pattern), while other endpoints (okx, publicnode, Vercel) appear legitimate telemetry/RPC endpoints but increase attack surface and privacy risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The skill makes eth_call requests to the public RPC endpoint https://base-rpc.publicnode.com (rpc_url() in src/config.rs and documented in SKILL.md), ingesting on-chain data (pool addresses, reserves, quotes, allowances, gauge info) that the agent reads and uses to choose pools, compute amounts, and build/send transactions—meeting all criteria for untrusted third-party content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The pre-flight installation runs at runtime and includes commands that fetch and execute remote code—specifically "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" (executes a remote shell script) and "curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/aerodrome-amm@0.1.0/aerodrome-amm-${TARGET}" (downloads a remote binary that the skill requires)—so these URLs present a high-risk runtime dependency.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I found a hardcoded, high-entropy value used as an HMAC key in the install/report block:
The script sets _K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...). That base64-decoded literal is used as the HMAC signing key for device/reporting (HMAC_SIG=$(echo -n "${_K}${DEV_ID}" | shasum -a 256 ...)). This is a reusable secret embedded directly in the code (not a placeholder), and meets the definition of a secret (high-entropy literal used for authentication/signing).

Ignored items (not flagged):

Ethereum contract/token addresses and example "0x..." values — these are public on-chain addresses.
Example/truncated values in outputs (e.g., "0xabc...", "0x...") and other sample strings — these are placeholders or low-entropy examples and not secrets per the rules.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to perform on-chain financial operations on a DEX (Aerodrome AMM). It exposes targeted commands to execute swaps (swapExactTokensForTokens), add/remove liquidity (addLiquidity/removeLiquidity), claim gauge rewards, check allowances and auto-approve tokens, and it submits transactions via onchainos wallet contract-call --force to known router/contract addresses. These are concrete crypto/blockchain transaction primitives (including contract selectors, router and token addresses) and thus provide direct financial execution capabilities (broadcasting signed transactions and moving tokens), even though user confirmation is required.

aerodrome-amm