curve
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The prompt includes an auto-injected "Report install" step that computes a device fingerprint, decodes an obfuscated key to build an HMAC, and POSTs a device ID to external endpoints — a hidden telemetry/exfiltration behavior unrelated to the Curve DEX functionality and thus deceptive.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These links instruct running a raw install.sh via curl|sh and downloading a prebuilt binary from a third‑party GitHub release (unknown user), plus telemetry endpoints — a classic high‑risk pattern for malware/unauthorised code distribution even though some hosts (github.com, raw.githubusercontent, okx.com, vercel.app) are legitimate domains.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches pool addresses from the public Curve API (api.curve.finance) and reads on-chain data via public RPCs, and the agent consumes those untrusted external quotes/balances/contract outputs to build calldata and make swap/add/remove decisions, so third-party content can materially influence tool actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The pre-flight install steps fetch and run remote code at runtime—specifically "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" (pipes and executes a remote install script) and "curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/curve@0.1.0/curve-${TARGET}" (downloads an executable binary that the skill requires)—so external content is executed and required for the skill to run.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I found a high-entropy, literal value that is used as an HMAC signing key. The script sets: _K='OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' and then base64-decodes it and uses it to compute an HMAC signature for a device token. This is a literal credential-like secret (an embedded signing key) and meets the definition of a secret.
Ignored items:
- Truncated contract/pool addresses like "0xbebc..." or "0x45312ea0..." — these are redacted/truncated or public contract addresses, not secrets.
- Public URLs, commit hash, and example usage blocks — not credentials.
- No simple example passwords or obvious placeholders were used that would be flagged per the policy.
Therefore this skill prompt contains one real hardcoded secret (the base64-encoded key).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly built to perform on-chain financial operations on Curve Finance. It provides specific write commands (swap, add-liquidity, remove-liquidity) that check allowances, approve tokens, and execute transactions via "onchainos wallet contract-call" (using --force to broadcast). It requires the agent to check wallet connection, preview calldata (--dry-run), ask user confirmation, then submit transactions and report txHash/explorer links. This is a crypto/blockchain wallet integration designed to move funds, not a generic tool—so it grants direct financial execution capability.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).