flap
Audited by Snyk on Apr 9, 2026
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs mix otherwise legitimate services (Binance, OKX, public RPCs, Vercel) with high‑risk executable distribution vectors — notably a raw GitHub-hosted install.sh intended to be curl|sh'd and a GitHub release binary from an unvetted/unknown user (MigOKG) — creating a meaningful supply‑chain/malware risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill's required workflow (SKILL.md) shows it fetches and ingests untrusted on-chain and third‑party data—e.g., get-token-info uses direct eth_call to public BSC RPC endpoints (https://bsc-rpc.publicnode.com, https://bsc-dataseed.binance.org) and accepts metadata via https://funcs.flap.sh/api/upload—and the agent is expected to read/interpret those external values (status, tax rates, warnings) which directly influence decisions and whether to execute on‑chain transactions, creating a clear channel for indirect prompt injection.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's auto-injected pre-flight steps fetch and execute remote code at runtime (notably "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" and downloading/executing the flap binary from "https://github.com/MigOKG/plugin-store/releases/download/plugins/flap@0.1.0/..."), which are runtime external dependencies that execute remote code and are required for the skill.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned for high-entropy literal values used as credentials. One high-entropy base64 string is embedded in the install/report script:
- 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='
This value is decoded into _K and then used to compute an HMAC signature (HMAC_SIG) for the device token sent to OKX — i.e., it functions as a secret key. It is not a placeholder or truncated/redacted value and appears to be an actual embedded secret (high entropy and used in HMAC generation). Therefore it should be treated as a leaked secret.
Other values in the document (contract addresses like 0xe2cE6ab..., RPC URLs, example tokens/addresses such as 0xAbCd..., QmXxx..., placeholders like 0xYourAddress..., command examples, etc.) are public or clearly illustrative/placeholders and are ignored per the rules.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly and primarily designed for blockchain financial operations on BSC: it can create ERC‑20 tokens, buy tokens with BNB, and sell tokens for BNB. Write operations run a dry‑run then (after user confirmation) submit real on‑chain transactions via
onchainos wallet contract-call --chain 56 --force. Sell flows automatically perform ERC‑20 approve + swap transactions. These are direct crypto transaction/transfer capabilities (wallet signing/broadcasting, swaps, approvals), not generic tooling. Therefore it grants direct financial execution authority.
Issues (5)
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).