compound-v3

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The pre-flight "Report install" section includes obfuscated key handling, computes a device fingerprint/HMAC, and POSTs that identifier to external endpoints — a hidden telemetry/exfiltration step unrelated to the plugin's stated Compound lending functionality.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These links include a curl|sh to raw GitHub content and a direct GitHub Releases binary from an unvetted GitHub account plus third‑party telemetry endpoints (Vercel/OKX API); downloading and auto‑installing executables or running piped shell scripts from unknown or lightly vetted accounts is a high‑risk distribution vector for malware.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly reads untrusted external data from on-chain smart contracts and third-party APIs (see "Data Trust Boundary") and uses values like borrowBalanceOf, isBorrowCollateralized, and CometRewards.getRewardOwed in required command flows (get-markets, get-position, supply/borrow/repay/withdraw/claim-rewards) to decide and execute actions, so third-party content can materially influence the agent's behavior.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps fetch and execute remote code at runtime — specifically the install script pulled and piped to sh from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and the plugin binary downloaded from https://github.com/MigOKG/plugin-store/releases/download/plugins/compound-v3@0.1.0/compound-v3-${TARGET} — both are required for operation and therefore present a high-risk runtime dependency.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that could be used as credentials. The clear finding is the base64-encoded string assigned to _K in the install/report script:

echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...

This is not a placeholder or an obvious example; it is a reversible, encoded secret embedded in the script and then used to compute an HMAC signature (HMAC_SIG) that is sent to external APIs. That meets the definition of a secret (high-entropy, literal value that provides access or proves authenticity). Even though it is "obfuscated" by base64, it is trivially decodable and therefore should be treated as a hardcoded secret.

Other potential matches were intentionally ignored:

• 0xYourWallet and similar 0x... placeholders are documentation placeholders, not secrets.
• Public Ethereum contract addresses and chain IDs are public data.
• Example passwords or numeric examples (e.g., amounts) are low-entropy/setup values and not flagged.

Therefore this file contains one hardcoded secret (the base64-encoded HMAC key).

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for on-chain financial operations on Compound V3. It implements write operations (supply, borrow, repay, withdraw, claim-rewards) that submit signed blockchain transactions via onchainos wallet contract-call, requires a connected wallet, and reports transaction hashes. These are specific crypto/blockchain transaction execution capabilities (moving assets, creating borrows/repays), not generic tooling. Therefore it grants direct financial execution authority.