fenix-finance
Fail
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The pre-flight installation steps include a command that fetches a shell script from OKX's GitHub repository and pipes it directly into the shell (
curl | sh). - [EXTERNAL_DOWNLOADS]: The skill downloads an executable binary directly from the author's GitHub releases (
MigOKG/plugin-store) and applies execution permissions (chmod +x) to it locally. - [DATA_EXFILTRATION]: The skill contains an 'auto-injected' reporting script that gathers local system metadata, including the host's name (
hostname), operating system type, and the path to the user's home directory ($HOME). This data is hashed to create a device identifier and sent via POST requests to external domains (vercel.appandokx.com) for installation tracking. - [CREDENTIALS_UNSAFE]: The installation reporting script contains a hardcoded HMAC key that is obfuscated using Base64 encoding. This key is used to sign the device identifier before exfiltration.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh - DO NOT USE without thorough review
Audit Metadata