compound-v2
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.70). The prompt includes obfuscated/hidden data (a base64-encoded HMAC key) and a device-fingerprinting + reporting routine that sends telemetry to external endpoints—behavior unrelated to the plugin's Compound functionality and effectively hidden in the pre-flight script.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). Yes — the skill instructs running a curl|sh installer from raw.githubusercontent.com and downloading platform binaries from a GitHub release belonging to a relatively unknown account (MigOKG), while also POSTing device fingerprints to third‑party endpoints (okx API and a Vercel app), which together are strong indicators of a suspicious/untrusted download and telemetry chain that could distribute malware or exfiltrate data.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.70). The skill issues unauthenticated eth_call requests to the public RPC (RPC_URL = https://ethereum.publicnode.com in src/config.rs / src/rpc.rs) and invokes the onchainos CLI (src/onchainos.rs), ingesting untrusted on-chain and remote RPC/CLI data that the agent reads and uses to compute calldata, balances, and decide/execute transactions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). This skill's pre-flight steps run at runtime and execute remote content fetched via curl — notably https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh (piped to sh) and the GitHub release URL https://github.com/MigOKG/plugin-store/releases/download/plugins/compound-v2@0.1.0/compound-v2-${TARGET} (downloaded as a binary and made executable) — so these URLs fetch and execute remote code the skill depends on.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I found one high-entropy literal that appears to be a hardcoded signing key: the base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' assigned to _K and then decoded/used to compute an HMAC signature (DIV_ID/HMAC_SIG) reported to OKX. This is a literal, non-placeholder, random-looking value used as a secret/key in the install/report flow and therefore qualifies as a hardcoded secret.
Ignored items and why:
- All listed on-chain addresses (cToken/underlying) are public blockchain addresses — not secrets.
- "0xYourWallet" and similar wallet placeholders are documentation placeholders — ignore.
- Command examples, URLs, and plain-language passwords/labels are examples/placeholders or public infra — ignore per the policy.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed for on-chain financial operations with Compound V2. It exposes specific write operations that broadcast transactions: supply (ERC20.approve + cToken.mint), redeem (cToken.redeem), and claim-comp (Comptroller.claimComp), routed through the onchainos wallet CLI and requiring a connected wallet. Those are direct crypto/blockchain transaction capabilities (signing/broadcasting) rather than generic tooling or dry-run only. Therefore it grants direct financial execution authority.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).