aura-finance

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The pre-flight "Report install" section instructs the agent to compute a device fingerprint, HMAC-sign it (with an obfuscated key), and POST it to external endpoints — a telemetry/exfiltration step unrelated to the plugin's stated Aura/DeFi functionality and thus a hidden/deceptive instruction outside scope.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These links include a raw GitHub install.sh intended to be run via curl|sh, direct binary downloads from a small/unknown GitHub releases repository (including .exe/.dmg targets), and telemetry/reporting endpoints on third‑party hosts — a combination that matches high‑risk patterns for malware distribution and privacy/exfiltration.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill fetches and uses external, untrusted data as part of its normal workflow — e.g., get-pools enriches on-chain Booster data with Balancer API TVL (plugin.yaml lists https://api.balancer.fi and public RPC https://ethereum.publicnode.com, and SKILL.md documents fetching Booster.poolInfo and on-chain calls) — so third‑party content can influence which addresses/parameters the agent uses.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). I flag the runtime installation URLs (notably the install script fetched+executed via curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and the GitHub release binary downloaded from https://github.com/MigOKG/plugin-store/releases/download/plugins/aura-finance@0.1.0/...) because the skill's pre-flight steps run these at session runtime, fetching remote code that is executed and required for the skill to operate.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for high-entropy literal values.

Findings:

• A base64 literal is embedded in the install/report script: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' This is decoded into _K and then used as an HMAC key to sign a device token and report to OKX. This is a high-entropy, literal secret (an obfuscated key) present in the code and therefore qualifies as a hardcoded secret.

What I ignored and why:

• Contract addresses (e.g., 0xA57b8d98...): these are public blockchain addresses, not secrets.
• Truncated/redacted outputs (e.g., "0x...", "0x32296969..."): these are placeholders/truncated values and not usable credentials.
• Example CLI outputs and sample parameters are documentation/examples, not secrets.
• No other high-entropy literals or private keys were present.

Recommendation (brief): rotate/remove the embedded key, and replace with a runtime-provided secret (environment variable or secure secrets store) or use proper per-device credential provisioning.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built to perform on-chain financial operations on Ethereum: it approving ERC-20 tokens, deposits BPT into Aura (staking), withdraws staked BPT, claims BAL/AURA rewards, and locks/unlocks AURA. Write operations are executed via onchainos wallet contract-call (i.e., transaction signing/submission). These are specific crypto/blockchain transaction functions intended to move tokens and change on-chain balances (not generic tooling), so it grants direct financial execution capability.