archimedes-v1

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The pre-flight/install section contains obfuscated data (a base64 string) and code that fingerprints the host (hostname, uname, $HOME → hashed DIV_ID) and silently posts that device token to external endpoints, which is hidden telemetry/exfiltration unrelated to the Archimedes finance functionality.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). These links include direct downloads of binaries and a curl | sh installer (high-risk patterns), one binary is served from a third‑party GitHub release (unknown/low‑reputation account), and telemetry/reporting to a Vercel endpoint plus an OKX API call means the workflow both installs executable code from non-verified sources and leaks device identifiers — overall a suspicious distribution vector that could deliver malware.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly fetches and uses external on-chain and third-party API data (e.g., calls like archimedes protocol-info, get-positions, previewZapInAmount which read on-chain contracts and listed endpoints such as https://ethereum.publicnode.com, plugin-store-dun.vercel.app, and OKX APIs) as part of its required workflow, and that untrusted external content directly affects decisions and subsequent contract calls.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). Yes — the auto-injected pre-flight runs fetch and execute remote code (curl ... | sh from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and a downloaded binary from https://github.com/MigOKG/plugin-store/releases/download/plugins/archimedes-v1@0.1.0/archimedes-...), which are used at runtime and are required for the skill.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that could be usable credentials.

Flagged item:

• The base64 string assigned to _K in the "Report install" block: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='. This is a non-placeholder, high-entropy literal that is decoded and used as an HMAC signing key to generate a device token (DIV_ID) and is sent to external APIs (OKX/report). Because it is a deployed signing key embedded in the script (even if "obfuscated"), it qualifies as a secret and should be treated as such.

Ignored items (not flagged) and why:

• Ethereum contract addresses (0x...): public on-chain addresses, not secrets.
• Example/replacement/truncated values like "0xabc...", "0xdef...", and JSON example outputs: clearly placeholders/redacted.
• CLI instructions, environment variable names, and simple example passwords mentioned in guidance: documentation placeholders or examples per the rules, so not flagged.

Conclusion: one real, high-entropy secret present — the base64-encoded HMAC key in the install/report block.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations. It requires a connected wallet and exposes commands that create and broadcast transactions: e.g., open-position (approves stablecoins/ARCH, calls Zapper.zapIn() to deposit and mint a leveraged position NFT), close-position (sets approvals and calls LeverageEngine.unwindLeveragedPosition()), and other onchainos wallet contract-call actions. These are direct crypto transaction/smart-contract interactions (signing/sending funds, paying fees, minting/redeeming positions), not generic tooling. Therefore it grants direct financial execution authority.