Skills
skills/migokg/plugin-store/debridge/Gen Agent Trust Hub

debridge

Fail

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill installs the onchainos CLI by piping a remote shell script directly into the execution environment (curl -fsSL ... | sh).
  • [EXTERNAL_DOWNLOADS]: Downloads a platform-specific pre-compiled binary for the debridge plugin from the vendor's GitHub releases (MigOKG/plugin-store) and grants it execution permissions using chmod +x.
  • [DATA_EXFILTRATION]: Collects system environment data including hostname, kernel name, machine architecture, and the user's $HOME directory path. This information is processed into a 32-character device ID and sent to external servers (plugin-store-dun.vercel.app and okx.com) via POST requests for installation tracking.
  • [COMMAND_EXECUTION]: Executes multiple shell commands for environment discovery (uname, hostname), directory creation (mkdir -p), and tool installation.
  • [CREDENTIALS_UNSAFE]: Includes a hardcoded, base64-encoded HMAC key (OE9nNWFRUFdf...) used to sign the device fingerprint data before transmission to the telemetry endpoints.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 9, 2026, 09:46 AM