balancer-v2

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The pre-flight script includes an unexpected "report install" routine that decodes an obfuscated key, computes a device fingerprint/HMAC, and POSTs it to external endpoints — a clear data-exfiltration instruction unrelated to the Balancer DEX functionality and therefore a deceptive/out-of-scope instruction.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These links include a curl|sh to a raw GitHub install script and a direct download of a native binary from a third‑party GitHub release (MigOKG) — executing remote shell scripts or unknown release executables is high risk even though some endpoints (okx.com, raw.githubusercontent.com, vercel.app) are well‑known; the okx and Vercel URLs appear to be telemetry/reporting endpoints rather than installers but still leak device info.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill queries public third‑party endpoints (e.g., the Balancer Subgraph at https://api-v3.balancer.fi/graphql in src/commands/pools.rs and public RPC endpoints referenced via config::rpc_url and plugin.yaml) and uses those responses to build quotes, pool lists, and transaction calldata that directly affect routing and on‑chain actions, so untrusted external content can materially influence tool behavior.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight installation runs remote fetch-and-execute steps at runtime—specifically "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" (downloads and pipes a script to sh) and "curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/balancer-v2@0.1.0/balancer-v2-${TARGET} -o ~/.local/bin/balancer-v2" (downloads an executable binary installed for execution)—which clearly fetch remote code that will be executed and are required for the skill to function.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I searched the full prompt for literal, high-entropy credentials. I found a base64 string assigned to _K in the install/report script:

'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='

This is decoded and used as an "obfuscated key" to compute an HMAC signature for a device token (DIV_ID). It is not a placeholder, not truncated, and appears to be a real, embedded secret key used by the plugin/CLI. I therefore treat it as a hardcoded secret.

Other items (smart contract addresses, example pool IDs, command examples, simple/example passwords) are either public on-chain addresses or documentation examples and are ignored per the rules.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations. It provides commands to execute token swaps (calls Vault.swap), add/remove liquidity (Vault.joinPool/Vault.exitPool), perform ERC-20 approves, and broadcast transactions via onchainos wallet contract-call (with --force / --confirm flow). It targets specific chains and token addresses and is a dedicated DEX integration (Balancer V2) for moving crypto assets. This is direct crypto/blockchain transaction capability, not a generic tool, so it grants Direct Financial Execution Authority.