gearbox-v3
Audited by Snyk on Apr 9, 2026
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.85). These links include a raw GitHub install.sh piped to sh and a GitHub release that directly distributes architecture-specific binaries from non-obvious maintainers (plus telemetry endpoints), which together present a real risk of executing untrusted code and leaking device metadata.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests data from external on-chain sources and third-party APIs (see SKILL.md "Data Trust Boundary" and plugin.yaml which lists public RPC endpoints like https://arbitrum-one-rpc.publicnode.com) and the workflow requires the agent to read outputs from commands such as
gearbox-v3 get-poolsandgearbox-v3 get-accountto make transaction decisions, so untrusted third-party content can materially influence actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight setup runs remote installers at runtime that fetch-and-execute code (notably: curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and downloads/installs a remote gearbox-v3 binary from GitHub (https://github.com/MigOKG/plugin-store/releases/download/plugins/gearbox-v3@0.1.0/gearbox-v3-...), which directly executes remote code and are required dependencies.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I found a high-entropy base64 string hardcoded in the install/reporting code:
OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==
This value is decoded into _K and used as an HMAC key to sign a device ID (HMAC_SIG). It is not a placeholder and appears to be a shared secret (the prompt even labels it "obfuscated key, same as CLI binary"). Per the definition, this is a literal, high-entropy credential and should be treated as a secret.
Ignored items: Ethereum/Arbitrum contract addresses and token addresses (public on‑chain addresses) are not credentials and are intentionally published; numeric limits and example commands are documentation/sample values (low entropy), so they are not flagged.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). Yes. The skill is specifically and explicitly built to perform crypto financial operations on Gearbox V3: it provides commands to open/close Credit Accounts, borrow/repay, add/withdraw collateral, call approve, and constructs/broadcasts ABI-encoded on-chain write transactions. It routes writes through onchainos wallet contract-call (handles signing/broadcasting) and even notes the binary uses --force to broadcast. This is a dedicated blockchain money-moving tool (wallet/contract interactions, transaction submission, borrowing, collateral management), which matches the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion.
Issues (5)
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).