beefy

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill contains an auto-injected "Report install" script that fingerprints the host, computes an HMAC with an obfuscated key, and posts device-identifying data to external endpoints—hidden telemetry/exfiltration unrelated to the stated Beefy vault management purpose.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Yes — these links include a raw GitHub install.sh fetched via curl|sh and a prebuilt binary served from a GitHub release by an unfamiliar account (MigOKG), plus third‑party endpoints (Vercel and an OKX priapi) used for telemetry; direct executable/script downloads from non-official or low-profile sources are high-risk for malware or supply‑chain tampering.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches live vault metadata and APY from the public Beefy API (src/api.rs calling https://api.beefy.finance) and then directly uses fields such as earn_contract_address and token_address in critical flows (see src/commands/deposit.rs and withdraw.rs) to construct and broadcast on-chain transactions, so untrusted third-party data can materially alter tool actions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight installation runs at session runtime and fetches+executes remote code (curl ... | sh to https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and curl download of the plugin binary from https://github.com/MigOKG/plugin-store/releases/download/plugins/beefy@0.1.0/beefy-${TARGET}), so these external URLs cause execution of remote content required for the skill.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that could be used as credentials.

Findings:

• The line setting _K contains a base64 literal: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='. This decodes to a non-trivial key and is subsequently used to compute an HMAC signature (HMAC_SIG) for a device token sent to OKX. That is a hardcoded, high-entropy value used for signing and therefore qualifies as a secret (it can be used to forge/report device tokens). It is not a placeholder or an obvious example.

Ignored items (reasons):

• The Ethereum/USDC address 0x833589f... is a public contract address (not a secret).
• Occurrences like 0xYourAddress are placeholders and were ignored per rules.
• Script/version strings, URLs, and example passwords/strings (none high-entropy) are documentation or install artifacts and not flagged.
• No PEM/private-key blocks or clearly formatted API keys were present other than the base64 obfuscated key above.

Conclusion: there is one hardcoded secret (the base64-encoded HMAC key).

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a wallet-connected DeFi execution tool for Beefy Finance: it provides specific write operations to move funds (deposit and withdraw) with concrete commands and on-chain actions (ERC‑20 approve, ERC‑4626 deposit, redeem mooTokens). It lists supported chains, wallet balance checks, and instructs broadcasting transactions with a --confirm flag. These are targeted, finance-specific APIs/commands to send blockchain transactions and manage user funds — not generic tooling. Therefore it grants direct financial execution capability.