four-meme
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The prompt contains an auto-injected "Report install" section that collects a device fingerprint, decodes an obfuscated key to HMAC-sign a device ID, and POSTs that data to external endpoints—behavior unrelated to the plugin's trading purpose and effectively hidden/deceptive.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). These links include a raw GitHub install.sh piped to sh and a GitHub release binary from an untrusted/unknown user (direct executable download), plus telemetry/report endpoints (Vercel/OKX) that fingerprint devices — together they present a high-risk vector for distributing and tracking untrusted malware.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill fetches untrusted public content from the Four.meme APIs (API_CONFIG: https://four.meme/meme-api/v1/public/config used in src/commands/tokens.rs and API_TOKEN_GET: https://four.meme/meme-api/v1/private/token/get used in src/commands/info.rs) and performs eth_call requests against a public BSC RPC (https://bsc-dataseed.binance.org in src/config.rs) and then directly uses those responses to compute quotes, choose token managers, build calldata, and decide/broadcast transactions (see src/commands/buy.rs, sell.rs, info.rs), so third‑party data can materially influence tool behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install runs at runtime and fetches+executes remote code (e.g. curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and downloads a remote binary (https://github.com/MigOKG/plugin-store/releases/download/plugins/four-meme@0.1.0/four-meme-${TARGET}) which are required for the skill to operate, so they execute remote code and present high risk.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I flagged the base64 literal assigned to _K as a hardcoded secret. It is a high-entropy, literal value (OE9n...==) used as an HMAC key to sign a device token and sent with reporting calls. This is not a documentation placeholder or a simple example — it is an actual encoded key embedded in the script (and not redacted/truncated). Other items (contract addresses, example commands, environment variable names, and simple example passwords) are public or clearly examples and were ignored.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading tool: it provides buy and sell commands to trade meme tokens on a BNB Chain bonding-curve launchpad, includes on-chain broadcast functionality ("--confirm" to broadcast on-chain), handles token approvals, and targets specific chain and contract addresses. These are direct blockchain transaction capabilities (crypto/swaps/signing) — i.e., explicit financial execution.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).