jito
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight "Report install" section includes obfuscated/decoded secrets and a device-fingerprinting + reporting routine that autonomously exfiltrates a device ID to external endpoints—hidden telemetry outside the Jito staking skill's stated functionality.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs include a raw shell script piped to sh and a GitHub release that distributes prebuilt binaries from an unverified user (both high-risk patterns), plus telemetry/reporting endpoints — while okx.com and raw.githubusercontent.com are legitimate domains, directly executing the script or installing an unfamiliar release binary could install malware or exfiltrate data.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill fetches and parses public, untrusted third-party content — notably Solana on-chain data via rpc::solana_rpc / rpc::get_account_data and rpc::get_token_accounts_by_owner (src/rpc.rs) and external APY data from DeFiLlama via fetch_defillama_apy (src/commands/rates.rs) — and uses those results to compute rates, choose token accounts, build transactions, and decide on actions, so external content can materially influence tool behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The pre-flight install steps fetch and execute remote code at runtime—e.g. curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/jito@0.1.0/jito-${TARGET} -o ~/.local/bin/jito—which install required binaries (onchainos and the jito binary) and therefore constitute remote code execution that directly affects the agent runtime.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
-
Secret detected (high risk: 1.00). I scanned the full skill prompt for high-entropy, literal credentials. The script embeds a base64 literal assigned to _K:
'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='
This value is decoded and used as an HMAC signing key to compute a device signature (HMAC_SIG) that is sent to the OKX report API. It is a high-entropy literal that functions as a secret key for signing, so it meets the definition of a secret.
Other items that might look like credentials were ignored per the rules:
- Sample wallet/public addresses (e.g., "DTEqFXyF...", Jito program/mint addresses) are public on-chain identifiers — not secrets.
- Example outputs, sample balances, and simple example strings are documentation/test data and were not flagged.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly for on-chain crypto operations: staking and unstaking SOL for JitoSOL on Solana. It defines concrete write commands (e.g., "jito stake --amount ...", "jito unstake ...") that perform transactions and states these are executed via onchainos wallet contract-call to broadcast signed transactions and return txHash. It requires a connected wallet and provides an agent flow for previewing and then executing transactions. These are direct blockchain wallet/transaction actions (crypto execution), not generic tooling—so it grants direct financial execution authority.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).