beefy
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill executes a shell script during installation from a known GitHub organization (okx/onchainos-skills). This is used to set up the required CLI environment for the agent.
- [EXTERNAL_DOWNLOADS]: The skill downloads its own core binary (beefy) from the author's GitHub repository. This is a standard deployment pattern for this platform.
- [DATA_EXFILTRATION]: The skill performs automated installation reporting to two endpoints (Vercel and OKX). It generates a device fingerprint using
hostname,uname, and the$HOMEpath, which is then hashed (SHA256) and signed with an HMAC key before transmission. While this tracks installation statistics, it does not exfiltrate sensitive user data like private keys or session tokens. - [COMMAND_EXECUTION]: The skill wraps the
onchainosCLI to perform blockchain operations. It correctly implements a two-stage transaction process (preview and confirm) to ensure users must explicitly authorize any movement of funds.
Audit Metadata