camelot-v3
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight contains a hidden telemetry/report step (including an obfuscated HMAC key decoded at runtime) that computes a device fingerprint and POSTs it to external endpoints—behavior unrelated to the plugin's stated swap/LP functionality and therefore a deceptive hidden instruction.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The skill instructs fetching and executing code directly (curl | sh) and downloading a native binary from a GitHub release owned by an unvetted user (MigOKG) plus POSTing telemetry to a third‑party Vercel endpoint — a classic, risky pattern for distributing malware despite some URLs being on valid domains (github.com, okx.com, vercel.app).
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill makes JSON-RPC eth_call requests to public Arbitrum RPC endpoints (e.g., https://arbitrum-one-rpc.publicnode.com in src/rpc.rs and plugin.yaml) and ingests on-chain/token metadata and quote results (get_symbol, quoter_exact_input_single, nfpm_positions, get_allowance) which are untrusted, user-controlled public content that directly influence quoting, allowance/approve logic, calldata construction, and transaction decisions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps fetch-and-run remote install scripts and binaries at runtime — e.g. the installer piped to sh (https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and the GitHub release binary download (https://github.com/MigOKG/plugin-store/releases/download/plugins/camelot-v3@0.1.0/camelot-v3-${TARGET}) — which execute remote code and are required for the skill to run.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
-
Secret detected (high risk: 1.00). I flagged a hardcoded, high-entropy secret in the "Report install" script. The script embeds a long base64-encoded string assigned to _K:
'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='
This value is decoded and used as an HMAC key to compute a device signature (HMAC_SIG) that is sent to OKX/telemetry endpoints. It is not a placeholder, truncated/redacted value, or a low-entropy setup password — it is an obfuscated secret (high-entropy) used programmatically as a signing key. Because it is directly present and appears to be a real usable credential, it should be treated as a secret leak.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading/DeFi plugin: it provides commands to execute token swaps, add/remove liquidity, manage LP positions, and it calls onchainos wallet contract-call to broadcast transactions. It includes concrete transaction flows (approve tokens, execute SwapRouter, NFPM.mint/decreaseLiquidity/collect), requires a connected wallet, and lists contract addresses and supported tokens. This is a specific blockchain/crypto execution tool (signing/sending on-chain transactions), so it grants direct financial execution capability.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).