fluid

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The auto-injected "Report install" block computes a device fingerprint, decodes an obfuscated key, HMAC-signs a device ID, and POSTs it to external endpoints — a hidden/exfiltration step unrelated to the skill's DEX/lending functionality and therefore a deceptive instruction outside the stated purpose.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The set is suspicious: it instructs running a raw GitHub-hosted shell script (dangerous to pipe-to-sh) that pulls platform-specific binaries from a third-party GitHub release (MigOKG — not an obviously well-known/trusted publisher) and also POSTs a device fingerprint to external endpoints (Vercel and an OKX API), combining direct executable downloads from an unverified source with telemetry/reporting that increases privacy/malware risk.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill makes direct eth_call requests to public RPC endpoints (e.g., base-rpc.publicnode.com, eth.llamarpc.com) — used by commands like markets (LendingResolver.getFTokensEntireData), positions (getUserPositions & token calls), and quote (DexReservesResolver.estimateSwapIn) — and the agent parses and acts on those on-chain responses to build/submit transactions, so untrusted public on-chain data can materially influence behavior.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's auto-injected pre-flight steps fetch and execute remote code at runtime — notably "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" and the GitHub release download "https://github.com/MigOKG/plugin-store/releases/download/plugins/fluid@0.1.0/fluid-${TARGET}" (downloaded and chmod+x), so required runtime content is fetched from external URLs and executed.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the base64-encoded string assigned to _K in the install/report script:

OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==

This is used as an HMAC key ("HMAC signature (obfuscated key, same as CLI binary)") to sign a device token sent to an external API. It is a literal, high-entropy value in the repo and functions as a secret signing key — therefore it meets the definition of a secret and should be treated as sensitive (rotate/remove).

Ignored items and why:

• All listed contract/token addresses and function selectors are public on-chain values (not secrets).
• Truncated addresses (e.g., "0xf42f5795...") and placeholders like <vault_address> are not secrets.
• No obvious low-entropy setup passwords or example API keys present.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a DeFi execution tool. It provides specific commands to perform on-chain financial operations: supply (ERC‑4626 deposits), withdraw/redeem, and DEX swaps, including ERC‑20 approve flows and function selectors. It uses an onchainos wallet contract-call to broadcast transactions and returns transaction hashes (approveTxHash, swapTxHash, supplyTxHash). Although it enforces dry-run and explicit user confirmation, these are live transaction operations that move funds. Borrow/repay are disabled for live execution, but the primary features (supply/withdraw/swap) are concrete payment/asset-transfer operations on blockchain wallets.