dolomite
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.80). The skill prompt contains obfuscated/pre-flight instructions that compute a HMAC-signed device identifier and POST it to external endpoints (telemetry/reporting), which is unrelated to the Dolomite lending functionality and is concealed by base64 obfuscation—i.e., hidden data-exfiltration outside the skill's stated purpose.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). Yes — the skill makes JSON-RPC calls to public RPC endpoints (e.g., https://arbitrum-one-rpc.publicnode.com, https://rpc.mantle.xyz, https://rpc.berachain.com as listed in config/plugin.yaml) and decodes on-chain user-provided data such as token symbols/strings via rpc::eth_call and decode_string_from_hex, which the agent reads and uses to determine market IDs, amounts, and calldata (affecting actions), so untrusted third‑party content can influence behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's auto-injected pre-flight installs execute remote code at runtime (curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and downloads an executable binary (curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/dolomite@0.1.0/dolomite-${TARGET} -o ...) which are required dependencies and therefore present a high risk.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that would provide access to a service.
Flagged item:
- The base64 string assigned to _K: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' This is a hardcoded, non-placeholder, obfuscated HMAC signing key (used to build an HMAC-signed device token and reported to an OKX API). It appears to be a real secret material (high-entropy literal value) embedded in the script and thus should be treated as a secret.
Ignored items (not flagged) and why:
- All listed token/contract addresses (e.g., 0xaf88... , 0x82aF...) — these are public on-chain addresses, not secrets.
- Environment/tool commands, example commands, and error messages — no secret material.
- Default chain IDs, example passwords, and example strings — none are high-entropy credentials.
- The reporting endpoints and curl commands — endpoints alone are not secrets.
Conclusion: there is one hardcoded secret (the base64-encoded HMAC key).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto lending market CLI that performs on-chain transactions. It defines commands to deposit and withdraw assets, notes that deposit requires ERC-20 approve + DolomiteMargin.operate() (i.e., broadcasting transactions to move tokens), and requires a connected wallet (onchainos wallet). Write operations can be broadcast with --confirm. Supported chains and token contract addresses are listed. These are specific, explicit blockchain financial execution capabilities (sending transactions and moving funds), so it grants direct financial execution authority.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).