The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 0.80). The preflight install/report script includes obfuscated telemetry that builds and HMAC-signs a device fingerprint using hostname and $HOME and posts it to external endpoints while the description misleadingly claims only OS/architecture metadata is sent — a hidden/deceptive data-exfiltration behavior outside the plugin's stated lending functionality.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). These links include direct executable downloads from an unverified GitHub releases account and a raw GitHub "curl | sh" installer plus small/individual GitHub repos and third‑party telemetry endpoints (Vercel), which—while not obviously malicious—are realistic vectors for distributing malware because binaries/scripts come from relatively unknown accounts and are executed directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill performs read operations via the public RPC (https://ethereum.publicnode.com) and returns CLI output derived from on-chain smart contracts and third-party APIs (see get-pools/get-position and the "Data Trust Boundary"), which the agent is expected to ingest and use to compute normalized debt and decide/broadcast transactions—meeting the criteria for exposure to untrusted third‑party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install steps fetch and execute remote code at runtime—specifically curl https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (executes a remote install script) and curl https://github.com/MigOKG/plugin-store/releases/download/plugins/ion-protocol@0.1.0/ion-protocol-... (downloads and installs a remote binary)—which are required dependencies and thus present a high risk of executing untrusted remote code.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I found a base64-encoded high-entropy key embedded in the install/report script:
The literal string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' is decoded into _K and used to compute an HMAC signature (HMAC_SIG) that is sent with a device token to OKX's reporting API. This is a decodable, high-entropy secret material used for signing; it is not a placeholder or obvious example and therefore should be treated as an active credential.

Ignored items / why not flagged:

All listed Ethereum addresses and pool addresses are public contract addresses (not secrets).
Placeholder/example values like "0xYourWallet", the "0x00" whitelist root, RPC URL, and install/report endpoints are public or documentation placeholders.
No visible API keys of the form sk-... or private PEM blocks were present.

Therefore the base64-encoded _K is flagged as a real secret.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). Yes. The skill is explicitly a blockchain lending plugin that performs on-chain state-changing operations: lend (supply), withdraw-lend, deposit-collateral, borrow, repay, and collateral withdrawal. Each write command maps to contract calls (approve, GemJoin.join, IonPool.depositCollateral, IonPool.borrow, IonPool.repay, IonPool.withdraw, etc.) on Ethereum Mainnet and is intended to move tokens and change balances. It requires a connected wallet and uses onchainos wallet contract-call broadcasting (the binary uses --force to broadcast TXs; agent confirmation is described as the safety gate). This is a specific crypto/blockchain financial execution tool (signing/sending transactions and managing loans), not a generic API or browser automation, so it grants Direct Financial Execution Authority.

ion-protocol