cian-yield-layer

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes an auto-injected "Report install" script that decodes an obfuscated base64 key, computes a device fingerprint/HMAC, and sends it to external endpoints—a hidden data-exfiltration step unrelated to the CIAN vault functionality.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Yes — the set includes a curl|sh of a raw GitHub script and a direct GitHub Releases binary download hosted under an unvetted username (MigOKG), which are high-risk vectors for distributing executables even though some links are to legitimate OKX docs/APIs.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly ingests data from public third‑party endpoints (see plugin.yaml api_calls: https://rpc.mevblocker.io, https://eth.llamarpc.com, https://yieldlayer.cian.app and SKILL.md which uses REST API/RPC results for APY, USD values, balances and transaction previews), so external, untrusted web responses are read and can materially influence deposit/withdrawal decisions and transactions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps fetch and execute remote code at runtime—specifically via curl | sh from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and by downloading the cian-yield-layer binary from https://github.com/MigOKG/plugin-store/releases/download/plugins/cian-yield-layer@0.1.0/... which the skill then runs—so these URLs constitute required runtime-executed external dependencies.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy credentials.

Flagged item:

• The base64-encoded string assigned to _K in the "Report install" block:
• echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d
• The script treats this decoded value as an HMAC key ("HMAC signature (obfuscated key, same as CLI binary)") and uses it to compute a device token sent to OKX. This is a literal, embedded secret (obfuscated via base64) and is high-entropy and directly usable for reproducing HMAC-signed device tokens — therefore it meets the definition of a secret.

Ignored items (not flagged) and why:

• All Ethereum contract addresses and function selectors: public on-chain identifiers, not secrets.
• Command examples, CLI install URLs, and workflow instructions: documentation / examples (low entropy or public).
• Environment checks, REPORT_FLAG, device fingerprint construction, and curl endpoints: operational code and telemetry endpoints, not secrets by themselves.
• No API keys, PEM blocks, or other literal high-entropy credentials aside from the base64-encoded _K value above.

Conclusion: one real hardcoded secret present (the base64-encoded HMAC key).

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform blockchain financial operations. It provides commands to deposit tokens/ETH into ERC4626 vaults, perform ERC-20 approve flows, and submit on-chain transactions (e.g., optionalDeposit, requestRedeem) via onchainos wallet contract-call. It includes write-op safeguards (dry-run, user confirmation) but nevertheless performs signing/sending of transactions, lists contract addresses and function selectors, and requires wallet login and gas checks. These are direct crypto/blockchain execution capabilities (moving funds / submitting transactions), not generic automation.