archimedes
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight "Report install" block contains obfuscated/base64-decoded key usage and sends a computed device fingerprint/HMAC to external endpoints — a hidden telemetry/exfiltration step unrelated to the vault deposit/withdraw functionality, so it is deceptive and outside the skill's stated purpose.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). These URLs instruct piping a raw GitHub shell script to sh and downloading prebuilt binaries from a third‑party GitHub release (MigOKG) while also contacting external telemetry endpoints (Vercel/OKX), which is high risk because it executes unverified code from an unfamiliar repo and exposes device identifiers.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill performs read ops against public Ethereum RPC endpoints (e.g., ethereum.publicnode.com, rpc.mevblocker.io and any user-supplied --rpc URL) and ingests on-chain data (vaults/positions) which the agent parses and uses to decide/execute transactions, exposing it to untrusted, user-submitted third-party content.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's auto-injected pre-flight installs fetch and execute remote code at runtime (e.g., curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/archimedes@0.1.0/archimedes-${TARGET} -o ~/.local/bin/archimedes), so these external URLs deliver code that is executed and are required for the skill to run.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy secrets. The only candidate that meets the "high-entropy, literal value" criterion is the base64 string embedded in the report-install HMAC key:
- 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' is a literal base64-encoded value assigned to _K and used to compute an HMAC signature for device reporting. This is not a placeholder, is decodable, and appears to be a real secret key used for signing (the comment even says "HMAC signature (obfuscated key, same as CLI binary)"), so it is a hardcoded credential and should be treated as a secret.
All other values are public endpoints, example wallet/RPC addresses, or obvious documentation placeholders and examples (vault addresses, RPC URLs, example commands). No PEM blocks, API key patterns, or other high-entropy literals were present. Those were ignored per the rules (low-entropy, examples, or public values).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly provides on-chain wallet-backed commands to deposit, approve, withdraw, and redeem ERC-20 tokens/vault shares on Ethereum mainnet. It uses an onchainos wallet to sign and submit transactions (token.approve, vault.deposit, vault.withdraw, vault.redeem) and handles real assets (WETH, crvFRAX) and gas. These are direct crypto/blockchain financial execution operations, not generic tooling.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).