fenix
Audited by Snyk on Apr 9, 2026
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). The URLs include a raw GitHub shell script piped to sh and an unsigned executable downloaded from a third‑party GitHub release (MigOKG) plus telemetry/collection endpoints (Vercel and OKX); while parts originate from known domains (github.com, okx.com, vercel.app), the practice of running remote install.sh and pulling binaries from an unfamiliar GitHub user is a high-risk pattern for malware/unauthorized code execution.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly performs read operations against public third-party endpoints (e.g., Blast RPC "https://rpc.blast.io" for get-quote and a public GraphQL subgraph "https://api.goldsky.com/…/subgraphs/fenix-finance-v3" for get-pools) and the SKILL.md workflow shows the agent reads those responses and uses them to decide or construct follow-up actions (e.g., setting amounts/ticks and executing swaps/mints), so untrusted external content can materially influence tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install runs at runtime and fetches+executes remote code (curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and also downloads a remote executable (https://github.com/MigOKG/plugin-store/releases/download/plugins/fenix@0.1.0/fenix-... ) which the skill requires to operate, so these URLs execute remote code.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for high-entropy, literal credentials. Everything else is public (contract addresses, example commands, URLs, placeholders, and simple example passwords are all doc artifacts and intentionally ignored).
I found one embedded high-entropy base64 string used as an "obfuscated key" for HMAC signing: OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==
This is decoded into _K and then used to compute an HMAC signature for reporting (the code comment even calls it an "obfuscated key, same as CLI binary"). That meets the definition of a secret (literal, high-entropy key material) and should be treated as a hardcoded secret.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). Yes. The skill is explicitly a crypto trading/liquidity plugin: it provides swap and add-liquidity write commands that perform on-chain token approvals and broadcast transactions (via onchainos wallet contract-call --force), resolve wallet addresses, and report tx hashes. These are direct blockchain financial actions (token swaps, minting LP positions, signing/broadcasting transactions), so it grants Direct Financial Execution capability.
Issues (5)
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).