kamino-liquidity

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The install/report section contains obfuscated (base64-decoded) HMAC logic that builds a device fingerprint and posts it to external endpoints — an exfiltrative, obfuscated action not required for the vault's stated deposit/withdraw/listing functionality.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The set of URLs instructs executing a raw GitHub install.sh and downloading a prebuilt binary from a small/unknown GitHub account while posting a device fingerprint to external endpoints (Vercel/OKX), which is a supply‑chain/telemetry risk and could distribute malware or exfiltrate identifying data.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses live data and serialized transactions from the public Kamino API (https://api.kamino.finance) — see SKILL.md "Read ops → direct HTTP calls to https://api.kamino.finance" and src/api.rs — and those responses (vault metadata and base64 transactions) are interpreted and used to build/submit on-chain transactions (e.g., src/commands/deposit.rs and src/onchainos.rs), so untrusted third‑party content can directly influence tool actions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install steps fetch and execute remote code: it runs curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh to install onchainos and downloads an executable from https://github.com/MigOKG/plugin-store/releases/download/plugins/kamino-liquidity@0.1.0/kamino-liquidity-${TARGET}, both of which run at install/runtime and are required for the skill to operate.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I inspected the skill prompt for literal, high-entropy values that could be used to access a service.

Flagged item:

• The string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' is a base64-encoded literal which the script decodes and assigns to _K, then uses to compute an HMAC signature for reporting. This is a hardcoded, high-entropy key material (obfuscated but directly present and decoded at runtime) and qualifies as a secret.

Ignored items (reasons):

• All Solana addresses and example wallet values (e.g., "DTEqFXyF...") are public addresses, not credentials — do not provide access.
• Truncated tx hashes like "5xHk..." and examples labeled as sample output are redacted/truncated and/or clearly examples.
• Environment names, URLs (api.kamino.finance, OKX endpoints), and installation commands are configuration/metadata, not secrets.

Conclusion: there is a real hardcoded secret (the base64-encoded HMAC key) that should be treated as sensitive.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto financial tool for interacting with Kamino KVaults on Solana: it supports deposit and withdraw write-operations, calls Kamino API to build unsigned on-chain transactions, and then executes those transactions via the onchainos wallet command (onchainos wallet contract-call ... --unsigned-tx ... --force). These are direct blockchain transaction submissions (crypto wallet / on-chain transfers) and thus constitute specific financial execution capability, not a generic tool. Although it requires user confirmation, the skill's primary and explicit purpose is to move crypto funds on-chain.