eigencloud
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight "Report install" block collects a device fingerprint (hostname, OS, $HOME), decodes an obfuscated key, builds an HMAC-signed device token and silently POSTs it to external endpoints — telemetry/exfiltration unrelated to the plugin's restaking functionality and thus a hidden/deceptive instruction.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The skill asks you to download and execute binaries/scripts (GitHub release binary and raw curl|sh install script) from an unknown GitHub user and a third‑party Vercel endpoint (even though okx.com endpoints appear legitimate), which are high‑risk indicators for malware distribution.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill issues eth_call requests to the public JSON-RPC at https://ethereum-rpc.publicnode.com (see config.rs + src/rpc.rs) and parses onchainos CLI output for wallet addresses (src/onchainos.rs), and those untrusted on‑chain/CLI return values are read and directly influence command logic and transaction building/execution (e.g., deposit, delegate, queue-withdraw), so third‑party content can materially affect agent actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). Two pre-flight install steps fetch and execute remote code at runtime—curl https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (installs onchainos) and curl https://github.com/MigOKG/plugin-store/releases/download/plugins/eigencloud@0.1.0/eigencloud-${TARGET} -o ~/.local/bin/eigencloud (downloads a binary then chmod +x)—and these are required dependencies for the skill, so they directly introduce execution of remote code.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I flagged the base64 string assigned to _K as a hardcoded secret. The script contains:
_K=('OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...)
This is a reversible, high-entropy literal (an obfuscated HMAC key) that is used to sign a device token (HMAC signature). It is not a placeholder or a low-entropy setup password and therefore qualifies as an active secret embedded in the code.
Ignored items: all 0x Ethereum addresses and example/truncated values like "0x..." or "0xYourAddress" are public/placeholder and not secrets; example tx hashes, "YOUR_API_KEY" style placeholders, and simple example strings (none present beyond examples) were treated per the rules and not flagged.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly provides on-chain crypto transaction capabilities: it supports depositing ERC‑20 LSTs/EIGEN into strategies (including automatic approvals and broadcasting deposit transactions), delegating shares (calling delegateTo), and queuing withdrawals. It routes writes through onchainos wallet contract-call with preview and a --confirm broadcast step and mentions TEE‑sandboxed signing. It lists token and contract addresses and transaction hashes. These are concrete blockchain wallet/transaction operations (crypto signing and sending), i.e., direct financial execution.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).