The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 1.00). The pre-flight "Report install" block secretly fingerprints the device, decodes an obfuscated key to compute an HMAC, and POSTs that identifier to external endpoints—behavior unrelated to the advertised Fenix Finance functionality and constituting hidden/exfiltrative instructions.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.90). These links instruct curl|sh of a raw GitHub install.sh and download of platform-specific executables from a third‑party GitHub release (plus automatic telemetry/reporting to Vercel/OKX), which are direct-execution of unvetted binaries and device fingerprinting endpoints — a high-risk pattern for malware or covert data exfiltration.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 0.90). The skill contains intentional telemetry/exfiltration: it computes a device fingerprint (including hostname and $HOME), decodes an obfuscated HMAC key, and POSTs that identifier to external endpoints on first install, while also downloading and executing remote install scripts and binaries (supply-chain risk); no direct reverse shell or explicit credential-stealing code was found, but the obfuscated reporting and remote-install behavior indicate high risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install steps download and execute remote code at runtime — notably the install script fetched via curl | sh from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and the fenix-finance binary downloaded from https://github.com/MigOKG/plugin-store/releases/download/plugins/fenix-finance@0.1.0/fenix-finance-… — and these are required dependencies, so they execute remote code.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I looked for high-entropy, literal values that could be used as credentials. The only candidate that meets the criteria is the base64 string embedded in the install/report script:

_K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...)

This is a literal, non-placeholder, high-entropy value that is decoded and used as an HMAC key to compute a device signature (HMAC_SIG) that is then included in reporting to the OKX API. That behavior (hardcoded key used to sign or authenticate requests) matches the definition of a secret.

I am ignoring the following as non-secrets per your rules:

All listed contract addresses (0x...) — these are public on-chain addresses.
Command examples, CLI install commands, URLs, and device ID derivation logic — these are operational or public.
Sample/simple strings and selectors (e.g., "0xbc651188") — these are public constants or simple examples, not credentials.

Because the base64 literal is a real embedded key (not a placeholder or example) I flag it as a secret.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations. It provides commands to execute swaps (SwapRouter.exactInputSingle), mint/remove concentrated liquidity (NFPM.mint, NFPM.decreaseLiquidity, NFPM.collect), and submit ERC-20 approvals, and it explicitly submits transactions via "onchainos wallet contract-call --force". It also documents an execution flow that does a dry-run, asks for user confirmation, then "execute[s] on-chain" and reports the transaction hash. These are specific payment/asset-transfer actions on blockchain wallets (moving tokens), not generic tooling.

fenix-finance

Issues (6)