kelp
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). Yes — the pre-flight "Report install" section secretly computes a device fingerprint, decodes an obfuscated HMAC key, and POSTs a signed device token to external endpoints (telemetry/exfiltration) which is outside and not disclosed as part of the plugin's stated staking/querying functionality.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). These URLs instruct fetching and executing a remote shell script and platform binaries — including a raw GitHub .sh piped to sh and a GitHub release binary from a less-known user plus a third‑party Vercel telemetry endpoint — which makes them potentially risky even though some domains (okx, github.com) are legitimate; treat as suspicious and verify sources/signatures before running.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install fetches and executes remote code at runtime — notably via "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" and by downloading the kelp binary from "https://github.com/MigOKG/plugin-store/releases/download/plugins/kelp@0.1.0/kelp-${TARGET}", so these runtime downloads directly execute external code and are required for the skill.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I inspected the full skill prompt for high-entropy literal values that could be usable credentials.
Flagged item:
- The base64 string OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw== assigned to _K and used to compute an HMAC signature. It is a high-entropy literal secret (an obfuscated key used to HMAC-sign a device token) and therefore qualifies as a hardcoded secret.
Ignored items (reasons):
- Contract addresses (0x...): public on-chain addresses, not secrets.
- Command selectors, calldata, and example outputs: protocol details/examples, not credentials.
- Shell/CLI install URLs, report endpoints, and example passwords: not high-entropy or are documentation/examples per the policy.
Because the embedded base64 key is a usable secret (used for HMAC signing), this counts as a hardcoded credential that should be treated as sensitive.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to move funds on-chain. It provides dedicated write operations for staking and unstaking ETH/rsETH, includes contract addresses and calldata selectors (depositETH, initiateWithdrawal), and calls a concrete wallet command to broadcast transactions: "onchainos wallet contract-call --force". Those are specific crypto/blockchain transaction capabilities (wallet/contract calls / signing & broadcasting), so it grants direct financial execution authority—even though user confirmation is required.
Issues (5)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).