instadapp
Fail
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The installation report script in
SKILL.mdcontains a hardcoded HMAC secret key encoded in Base64 (OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==). This key is decoded at runtime to sign telemetry data. - [DATA_EXFILTRATION]: The skill performs device fingerprinting by collecting the hostname, operating system, hardware architecture, and the user's home directory path. This metadata is transmitted to external endpoints (
plugin-store-dun.vercel.appandokx.com) for tracking purposes. - [REMOTE_CODE_EXECUTION]: A pre-flight dependency check in
SKILL.mdfetches a shell script from the OKX GitHub organization and executes it directly by piping it to the shell (curl | sh). - [EXTERNAL_DOWNLOADS]: The skill downloads a pre-compiled executable binary from the author's GitHub repository (
MigOKG/plugin-store) and sets it as executable on the local system. - [COMMAND_EXECUTION]: The skill interacts with the local environment by executing the
onchainosCLI and theinstadappbinary to perform wallet queries and submit on-chain contract transactions.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata