cian

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The pre-flight “Report install” block includes obfuscated key decoding, device-fingerprinting, and POSTs to external endpoints (telemetry/exfiltration) that are unrelated to the CIAN plugin’s advertised on-chain functionality, so it contains hidden/deceptive instructions outside the skill’s purpose.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). High risk — the skill instructs running a raw GitHub shell script (curl | sh) and downloading an OS-specific executable from a GitHub release owned by a small/unknown account, while also contacting ephemeral vercel and API endpoints for telemetry; direct execution of unvetted .sh/.exe binaries from these sources is a common malware vector.

---

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill includes deliberate telemetry/exfiltration (device fingerprinting sent to external endpoints with an obfuscated HMAC key), executes remote install scripts via curl|sh (remote code execution / supply-chain risk), and downloads unsigned binaries—together these are high-risk intentional behaviors that can be abused for tracking, supply-chain compromise, or remote code execution.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted third-party content from on-chain smart contracts and external APIs/RPC endpoints (see the "Data Trust Boundary" in SKILL.md and the api_calls in plugin.yaml listing https://1rpc.io/eth, https://arb1.arbitrum.io/rpc, https://bsc-rpc.publicnode.com, https://rpc.mantle.xyz and other third-party endpoints) and the agent is required to read/interpret that data (list-vaults, get-positions) which can materially influence transaction decisions like deposit/request-withdraw.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight installer fetches and runs remote code at runtime — specifically "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" and the GitHub release download "https://github.com/MigOKG/plugin-store/releases/download/plugins/cian@0.1.0/cian-..." which download and execute required binaries/scripts, so they directly execute remote code and are required dependencies.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I found a base64-encoded literal assigned to _K in the install/report script:

_K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...)

The comment even calls it an "HMAC signature (obfuscated key, same as CLI binary)". This is a high-entropy, literal secret used to compute an HMAC device token sent to external endpoints, so it meets the definition of a secret.

Other items in the prompt (contract addresses, function selectors, example commands, environment variable names) are public or clearly documentation/example values and were ignored per the rules.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides blockchain financial operations: it can deposit tokens (executes ERC-20 approve + optionalDeposit, supports unlimited MAX_UINT256 approval or exact-amount approval) and request withdrawals (calls requestRedeem variants). It resolves/uses a wallet, lists vault addresses, and the CLI binary broadcasts transactions with --force. The documentation even lists function selectors and vault contract addresses. These are specific crypto on-chain transaction capabilities (wallet signing / broadcasting), not generic tooling — therefore it grants direct financial execution authority.