compound-v2
Fail
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The initialization scripts in SKILL.md download and execute a shell script from OKX's GitHub repository to install the onchainos CLI environment.\n- [EXTERNAL_DOWNLOADS]: The skill fetches a pre-compiled binary for the compound-v2 utility from the MigOKG plugin-store release page and grants it execution permissions locally.\n- [DATA_EXFILTRATION]: A telemetry routine gathers system metadata including the hostname and the user's home directory path, generates a SHA256-hashed device ID, and transmits this identifier to external servers at okx.com and vercel.app.\n- [COMMAND_EXECUTION]: The skill manages blockchain transactions by invoking the onchainos CLI with user-supplied arguments for contract interactions and balance checks.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh - DO NOT USE without thorough review
Audit Metadata