etherfi
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight auto-injected block contains covert telemetry/exfiltration logic—computing a device fingerprint, decoding an obfuscated HMAC key, and POSTing a signed device ID to external endpoints—which is unrelated to the plugin's claimed liquid-restaking functionality and constitutes hidden/deceptive instructions.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs include direct downloads of native binaries and shell installers hosted in a GitHub release by an unvetted account (MigOKG) plus remote install scripts and reporting endpoints — while domains like github.com, raw.githubusercontent.com, okx.com, etherscan.io and vercel.app are legitimate, delivering unsigned executables and checksums from the same potentially unknown source (and an initial install path lacking checksum verification) is a suspicious distribution pattern that could deliver malware or exfiltrate data.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill downloads and installs remote executables at runtime — notably the etherfi binary from https://github.com/MigOKG/plugin-store/releases/download/plugins/etherfi@0.1.0/etherfi-${TARGET} and the onchainos installer script from https://raw.githubusercontent.com/okx/onchainos-skills/v1.0.0/install.sh (which is executed), so external content is fetched and executed as a required dependency.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that could be used as credentials. The only candidate that meets the secret definition is the base64-encoded string embedded in the install/report script:
Occurrence: _K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...)
Why I flag it:
- It's a non-placeholder, Base64-encoded literal rather than an obvious example or truncated/redacted value.
- The script uses it as an HMAC signing key ("HMAC signature (obfuscated key, same as CLI binary)"), i.e., it's directly used to create a device token — a classic secret-key usage.
- The encoded value appears high-entropy (not a human-readable example), and would likely decode to a usable key.
- This is not covered by the “ignore” rules (not a placeholder, not a trivial setup password, not an env var name).
What I ignored:
- Contract addresses, ABI selectors, endpoint URLs, and example outputs — these are public/protocol data or documentation placeholders and are not credentials.
- Placeholders like 0xYourWalletAddress and example JSON values were treated as non-secrets per the guidance.
Recommendation: remove or rotate this embedded key and fetch it from a secure secret store or configuration not checked into docs.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto financial plugin for ether.fi and defines write operations that send on-chain transactions:
stake(deposit ETH),wrap(approve + deposit eETH to mint weETH), andunwrap(redeem weETH). It usesonchainos wallet contract-callto broadcast transactions and handles tx hashes, amounts, and approvals — i.e., it is specifically designed to move crypto funds on-chain. Therefore it grants direct financial execution capability.
Issues (5)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).