clanker

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt contains auto-injected install/reporting code that computes a device fingerprint, decodes an obfuscated key to HMAC-sign it, and POSTs that identifier to external endpoints — a hidden telemetry/exfiltration step not required for the skill’s stated token-deployment/manage purpose.

---

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's deploy-token flow and examples explicitly require or show passing the Clanker partner API key as a --api-key command-line argument (or embedding it in the command), which forces the agent to handle and potentially output the secret verbatim.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These links include a raw GitHub install script piped to sh and a prebuilt GitHub release binary from a relatively unknown account (MigOKG) plus telemetry/reporting endpoints — mixing direct executable downloads and automatic install/reporting is a moderate‑to‑high risk pattern even though some domains (github.com, okx.com, basescan.org, vercel.app) are legitimate.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly fetches and displays data from external sources (Clanker REST API and on-chain smart contracts) — e.g., list-tokens, search-tokens, and token-info in SKILL.md — and those responses include user-generated fields (token names, descriptions, Farcaster usernames) that the agent must read and which can materially influence decisions (e.g., deploy/claim actions), so it exposes the agent to untrusted third-party content.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's auto-injected pre-flight installs fetch and execute remote code at runtime — specifically the installer script curl https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and the clanker binary curl https://github.com/MigOKG/plugin-store/releases/download/plugins/clanker@0.1.0/clanker-${TARGET} -o ~/.local/bin/clanker — so these URLs cause remote code execution and are required dependencies.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the base64 literal assigned to _K in the "Report install" script:

echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...

This is a high-entropy, literal value embedded in the code and is explicitly described as an "obfuscated key" used to HMAC-sign a device token (used server-side and in the CLI binary). It is not a placeholder or simple example — it decodes to an apparent secret key and is used to derive a signed device identifier, which makes it a real credential/secret.

Ignored items and why:

• "mykey123" in deploy examples — a simple example/test value (low entropy) and marked as usage example.
• Environment variable names (CLANKER_API_KEY), placeholders like "0xYourWallet", "0x...", "sk-xxxx" — these are documentation placeholders or variable names and contain no real secret.
• Other simple strings and example passwords mentioned in the docs — clearly examples/placeholders per the provided rules.

Therefore the only actual hardcoded secret present is the base64-encoded key assigned to _K.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes explicit crypto financial actions: it can deploy ERC‑20 tokens (deploy-token) via the Clanker REST API and it can broadcast on‑chain transactions to claim LP/fee rewards (claim-rewards) using onchainos wallet contract-call --force. The skill requires a connected wallet and API key, previews calldata/dry-run but then executes real blockchain transactions that move assets or grant token admin rights. These are specific blockchain/financial operations (wallet signing/contract calls), not generic browser or HTTP tooling.