The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 1.00). The prompt includes a sneaked-in installation/reporting block that computes a device fingerprint, decodes an obfuscated (base64) key to create an HMAC, and posts telemetry to external endpoints — actions unrelated to trading and effectively exfiltrate device identifiers, which is a hidden/deceptive instruction outside the skill's stated purpose.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.90). Yes — the installer pipes a raw GitHub shell script to sh and pulls a platform-specific executable from a small/unvetted GitHub release (MigOKG) while also POSTing a fingerprint to third‑party endpoints (okx API / vercel), so unreviewed remote script execution, direct binary downloads, and telemetry/exfiltration make this a high‑risk distribution vector.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches market and price data from public GMX APIs and public RPC endpoints (see plugin.yaml api_calls and SKILL.md notes like "Market addresses: Fetched dynamically from GMX API" and get-prices/list-markets flows), and the agent is expected to read those untrusted, third-party responses to construct and execute transactions—so external content can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps fetch and execute remote code at runtime — notably curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (installs onchainos CLI) and curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/gmx-v2@0.1.0/gmx-v2-${TARGET} -o ~/.local/bin/gmx-v2 (downloads/executables the plugin binary) — which clearly execute external code that the skill depends on.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I flagged a hardcoded, high-entropy secret: the base64 literal assigned to _K in the install/report script:

_K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...)

The prompt even describes this as an "obfuscated key" used to compute an HMAC device signature and to report to OKX. This is a literal secret embedded in the code (not a placeholder, not truncated), and it appears usable for signing/reporting operations — therefore it meets the definition of a secret.

Items I explicitly ignored as non-secrets: public contract/token addresses (e.g., 0xaf88d0...), placeholders like 0xYourWallet and comments such as "YOUR_API_KEY", simple/example strings and setup examples. These are documentation/examples or public addresses and do not meet the high-entropy secret criteria.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill is explicitly designed to execute on-chain financial transactions on GMX V2. It provides write commands that send funds and create market orders (open-position, close-position, place-order, deposit-liquidity, withdraw-liquidity, claim-funding-fees), auto-approves token allowances, and submits transactions via onchainos wallet contract-call (broadcasting multicalls and execution-fee value). These are direct crypto/blockchain financial actions (wallet signing and broadcasting of trades/liquidity ops), so it grants direct financial execution authority.

gmx-v2

Issues (6)