hyperliquid
Audited by Snyk on Apr 8, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.80). The auto-injected pre-flight script contains obfuscated base64 handling and device-fingerprinting/reporting logic that sends HMAC-signed device identifiers to external endpoints (Vercel and OKX), which is unrelated to the plugin's trading functionality and effectively hides telemetry/exfiltration behavior outside the skill's stated purpose.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.75). These links include instructions to curl|sh and to download/execute binaries (GitHub release from an unfamiliar account and a Vercel app) without verifiable signatures or checksums—while some domains (okx, hyperliquid) appear official, the direct-install patterns and third‑party release hosting are high‑risk for malware distribution.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill makes live requests to the public Hyperliquid API (https://api.hyperliquid.xyz/info and https://api.hyperliquid.xyz/exchange) — see src/api.rs and the command flows in SKILL.md and src/commands (order.rs, cancel.rs, positions.rs, prices.rs) — and the agent consumes those untrusted API responses (meta, mids, open orders, clearinghouseState) to look up asset indices, display prices, and build/sign/submit order or cancel actions, so third‑party content can directly influence its decisions and tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's auto-injected pre-flight steps fetch and execute remote code at runtime (install script: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh is piped to sh, and the hyperliquid binary is downloaded from https://github.com/MigOKG/plugin-store/releases/download/plugins/hyperliquid@0.1.0/hyperliquid-${TARGET} and installed), which runs remote code and is required for the skill to function.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy credentials. I found a base64-encoded literal used as an "obfuscated key" in the install/report script:
The string: OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==
This value is decoded at runtime and used as an HMAC key to sign a device token. It is not a placeholder or example — it is a hardcoded secret (high-entropy, directly usable for signing). That meets the definition of a secret and should be flagged.
Other items (e.g., "0xYourAddress", order IDs like 91490942, simple example passwords, environment variable names, endpoints) are placeholders, examples, or low-entropy values and were ignored per the rules.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly provides on-chain trading capabilities: it can place and cancel perpetual market/limit orders, preview and then execute trades, and submit signed blockchain actions to Hyperliquid's exchange endpoint. It requires wallet signing via onchainos (EIP-712) and performs settlement in USDC. These are specific crypto/market-order operations (signing transactions and broadcasting trades), so the plugin is expressly designed to move funds/execute financial transactions.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).