gmx-v1
Audited by Snyk on Apr 9, 2026
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.85). These links include a curl|sh to a raw GitHub install script and a direct download of a prebuilt unsigned binary from an unfamiliar GitHub user (MigOKG), plus telemetry/reporting endpoints (OKX and a Vercel app) that collect device fingerprints — together they create a high-risk vector for distributing/unwittingly running malware or leaking device identifiers and should be treated as suspicious unless you can verify the publishers and inspect the code/binary signatures.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill directly fetches live price and position data from public GMX API endpoints (config.api_base_url -> https://arbitrum-api.gmxinfra.io and https://avalanche-api.gmxinfra.io) via src/api.rs get_prices/get_positions and the commands (src/commands/get_prices.rs, get_positions.rs) parse and use those values (e.g., acceptable_price/size) which can materially influence transaction construction and execution.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill's pre-flight steps fetch and execute remote code at runtime—e.g. curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/gmx-v1@0.1.0/gmx-v1-${TARGET} -o ~/.local/bin/gmx-v1—which are required installs and therefore constitute remote code execution from external URLs.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that could be used as active credentials.
Findings:
- The script contains an embedded base64 string: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' which is decoded into the variable _K and then used to compute an HMAC signature (HMAC_SIG) for reporting to OKX. This is a high-entropy, literal secret key (albeit obfuscated via base64) and is therefore a real embedded credential.
Ignored items (not flagged) and why:
- All listed contract addresses and token addresses are public on-chain addresses (not secrets).
- Example commands, parameters, and placeholders (e.g., 0xYourAddress, --dry-run, documentation examples) are documentation values and not secrets.
- Simple/setup values or descriptive strings in examples are low-entropy and labeled examples, so they were not flagged.
Because the base64 value decodes to a usable key that is directly present in the code and used to sign reports, it meets the definition of a secret and should be treated as a hardcoded credential that needs remediation (remove or rotate, move to secure storage).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed for crypto financial operations on GMX V1. It provides concrete, purpose-built commands to execute on-chain financial transactions: token swaps, buying/selling GLP (liquidity provision), opening/closing leveraged perpetual positions, and ERC-20 approvals. Write operations are submitted via onchainos wallet contract-call (i.e., signing and broadcasting transactions) and include execution-fee handling and contract addresses. Even though user confirmation is required, the skill clearly grants direct on-chain transaction execution capabilities.
Issues (5)
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).