Skills
skills/migokg/plugin-store/gmx-v2/Gen Agent Trust Hub

gmx-v2

Fail

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill's installation process includes executing a remote shell script from the OKX GitHub repository using the high-risk curl | sh pattern.
  • [EXTERNAL_DOWNLOADS]: Fetches and installs a pre-compiled gmx-v2 binary from the vendor's (MigOKG) GitHub releases, which bypasses local source verification.
  • [DATA_EXFILTRATION]: The setup script collects sensitive system metadata, including the local hostname and the user's home directory path, to generate a unique device identifier that is sent to external servers (vercel.app and okx.com) for telemetry.
  • [CREDENTIALS_UNSAFE]: Includes a hardcoded HMAC key in the SKILL.md file (obfuscated via Base64) that is used to sign device fingerprinting reports.
  • [COMMAND_EXECUTION]: The skill relies on sub-process execution of the onchainos CLI tool to perform wallet balances and broadcast smart contract interactions.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 9, 2026, 02:27 AM