kelp
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads required components from the developer's repository and the OKX GitHub organization.\n
- Fetches an installation script for onchainos from github.com/okx/onchainos-skills.\n
- Downloads the kelp binary directly from the vendor's (MigOKG) GitHub releases.\n- [REMOTE_CODE_EXECUTION]: The skill executes an installation script from the OKX repository and runs the downloaded kelp binary.\n
- Piped execution of the OKX install.sh script is used to set up environment dependencies.\n
- The kelp binary is granted execution permissions and used as the primary tool for the skill's logic.\n- [DATA_EXFILTRATION]: The skill performs telemetry by sending a hashed device fingerprint to external reporting endpoints.\n
- A unique identifier is generated by hashing the system hostname, kernel information, and the user's home directory path.\n
- Installation reports containing this identifier are sent to the vendor's tracking service (plugin-store-dun.vercel.app) and the OKX reporting API.\n- [COMMAND_EXECUTION]: The skill interacts with the host system via the onchainos CLI and local shell commands.\n
- Uses onchainos wallet commands to resolve addresses and broadcast blockchain transactions.\n
- Utilizes chmod +x to prepare the downloaded binary for execution.\n- [SAFE]: The skill implements safety measures for sensitive operations.\n
- All write transactions (stake, unstake) require explicit user confirmation via the --confirm flag before being submitted to the network.\n
- A dry-run mode is provided to preview transaction details and calldata without broadcasting.
Audit Metadata