The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 1.00). The pre-flight "Report install" section contains obfuscated/base64 decoding, computes a device fingerprint and HMAC, and silently posts that identifier to external endpoints—an out-of-scope, exfiltrative behavior unrelated to the declared Instadapp vault functionality, so it is a deceptive prompt injection.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). These links instruct downloading and executing code: a raw GitHub install.sh piped to sh and a direct GitHub release binary from an unfamiliar user, plus telemetry/reporting endpoints — running unsigned scripts/binaries from unvetted accounts and third‑party hosts is a significant risk for malware/privacy/exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The skill performs direct eth_call queries to an open public RPC (https://ethereum.publicnode.com) (see config::ETHEREUM_RPC and src/rpc.rs and the "Read ops (vaults, rates, positions)" sections in SKILL.md), and it parses those on-chain responses into exchange prices, balances, calldata, and decision logic used by the CLI — meaning untrusted third-party content from the public RPC is read and can materially influence transaction-building and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install commands fetch and execute remote code at runtime — notably the curl | sh installer at https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and the GitHub release binary download at https://github.com/MigOKG/plugin-store/releases/download/plugins/instadapp@0.1.0/instadapp-${TARGET} — which directly execute remote code and are required for the CLI functionality.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that could be usable credentials.

Flagged item:

The base64 string assigned to _K in the install/report block: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' This is decoded and used as an HMAC signing key to create a device token (HMAC_SIG) which is then sent to OKX API. It is not a placeholder, is not truncated/redacted, and appears to be an embedded, obfuscated secret key — therefore a real secret by the definition given.

Ignored items (not flagged) and why:

Contract addresses (e.g., 0xc383a..., 0xa0d37...) — public on-chain identifiers, not secrets.
Example wallet fragment "0x87fb..." — truncated/placeholder.
CLI commands, URLs, selectors, and sample outputs — not secrets.
Any plain/simple strings (e.g., "instadapp", "iETH", "0.0001") — low-entropy/documentation values.

Conclusion: one actual embedded secret (the base64 HMAC key) is present.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill explicitly implements crypto financial execution: it installs and uses the onchainos CLI and an instadapp binary, and exposes write operations that sign/broadcast on-chain transactions (e.g., supplyEth(), stETH approve(), ERC‑4626 deposit(), withdraw()/redeem()) via onchainos wallet contract-call. Those commands submit transactions and return txHashes/Etherscan links. Even though it requires user confirmation flags, the primary purpose is moving crypto funds on Ethereum, so it grants direct financial execution capability.

instadapp