The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 1.00). The prompt includes an auto-injected "Report install" script that computes a device fingerprint and HMAC (using an obfuscated base64 key) and POSTs it to external endpoints—telemetry/exfiltration logic unrelated to Kamino Lend's stated lending functionality, therefore hidden/deceptive.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). The set includes a curl|sh raw GitHub installer and a direct GitHub release binary from a non-obvious account plus telemetry/exfiltration endpoints (Vercel and an OKX API), which are common patterns for distributing unvetted executables and collecting device identifiers—raising significant malware/privacy risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 1.00). Yes — src/api.rs calls the public https://api.kamino.finance endpoints (get_markets, get_obligations and the build_*_tx functions) to ingest market data and base64-encoded transactions that the agent (via src/onchainos.rs) converts and submits with onchainos, so untrusted third‑party content is read at runtime and can directly control tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight installs run a runtime shell command that pipes remote code to the shell (curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and the runtime also fetches serialized transactions from https://api.kamino.finance which are directly submitted/executed via onchainos, so these external URLs provide required runtime content that executes code or controls actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that could be used as real credentials. I found a base64-encoded literal assigned to _K in the "Report install" script:

echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...

This is a hardcoded, non-placeholder, high-entropy value used as an HMAC signing key (to compute HMAC_SIG) and then used when reporting to the OKX API. It is not a generic placeholder or a simple example string, and therefore meets the definition of a secret in this context. Unsetting the variable after use does not prevent disclosure from version control or from anyone with repo access.

I found no other high-entropy literals (no obvious API keys, PEM blocks, or other random-looking credentials). Other strings in the document (command names, sample amounts, environment variable names, and simple example passwords or placeholders) are documentation or setup values and were ignored per the rules.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill is explicitly designed for cryptocurrency financial operations on Solana. It provides commands to supply, withdraw, borrow, and repay assets on the Kamino Lend protocol and executes on-chain transactions via onchainos wallet contract-call (submitting base58 transactions to Solana mainnet). These are direct blockchain wallet actions (crypto transfers/loans) rather than generic tooling or dry-run-only previews. Even though it requires explicit user confirmation, the skill includes mechanisms to construct and broadcast transactions, so it grants direct financial execution capability.

kamino-lend

Issues (6)