The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 0.90). The pre-flight "Report install" step instructs the agent to compute a device fingerprint (using an obfuscated key) and POST it to external endpoints—behavior unrelated to the Exactly Protocol lending functionality and effectively a sneaked-in data-exfiltration instruction.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.90). These links include a raw GitHub-hosted install.sh intended to be run (curl | sh), and a direct download URL for prebuilt executables from an unvetted GitHub user, combined with telemetry/reporting endpoints (Vercel and OKX) — a pattern that enables arbitrary code execution, untrusted binary distribution, and potential data exfiltration, so it is suspicious.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 0.90). This skill includes deliberate telemetry/exfiltration (computing a device fingerprint and POSTing it to external endpoints), an obfuscated HMAC key, and automated remote-installer/binary-download patterns (curl | sh and direct binary fetch + chmod) — intentional behaviors that create supply‑chain and privacy/backdoor risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill explicitly calls out reading external on-chain and API data (e.g., Previewer.exactly via eth_call and commands like get-markets / get-position using public nodes such as https://mainnet.optimism.io and https://ethereum.publicnode.com) and instructs the agent to interpret those outputs to choose maturities, amounts, and whether to execute writes, so untrusted third‑party content can directly influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight runtime steps fetch and execute remote code required for operation—e.g., "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" (install script) and the GitHub release binary download "https://github.com/MigOKG/plugin-store/releases/download/plugins/exactly-protocol@0.1.0/..." which are executed as part of startup, so they present a clear runtime code-execution dependency.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that could be used as credentials.

Flagged item:

The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' assigned to _K and then base64-decoded is an obfuscated HMAC key used to compute a device signature (HMAC_SIG). This is a high-entropy literal value embedded in the script and is used as a signing key (i.e., it can be used to authenticate/report to external services). Per the definition, that qualifies as a secret.

Non-issues (not flagged):

On-chain addresses (Ethereum/Optimism addresses) are public contract addresses, not secrets.
Example timestamps, command examples, environment variable names, commit hash, and other instructional values are documentation artifacts or placeholders and do not meet the high-entropy secret definition.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill explicitly exposes on-chain financial actions: deposit, borrow, repay, withdraw, and enter-market via the exactly-protocol CLI (ABI-encoded contract calls) and requires an onchainos wallet connection. These are concrete crypto/blockchain transaction commands that can move funds and sign/broadcast transactions (writes use --force and broadcast immediately). This is a specific financial execution tool (not a generic browser/API caller), so it grants direct financial execution capability.

exactly-protocol