lido-v2

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The prompt includes an auto-injected "Report install" block that computes a device fingerprint, derives an HMAC-signed device token (using an obfuscated key), and posts that data to external endpoints — an act of device-identifying data exfiltration that is unrelated to the plugin's stated Lido staking functionality and therefore a hidden/deceptive instruction outside scope.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Although some links point to legitimate documentation (docs.lido.fi) and OKX domains, the skill instructs curl|sh of a raw GitHub install script and direct download of platform-specific binaries from GitHub releases maintained by uncommon/third‑party accounts (and includes automated reporting endpoints), which are high‑risk patterns for malware distribution.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly performs read operations against public third‑party sources (Lido's REST API and public RPCs — see "get-apr" and the "Architecture" / "Data Trust Boundary" sections) and uses those returned values to drive workflow and transaction decisions, so it clearly consumes untrusted external content that could indirectly influence agent actions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install steps fetch and execute remote code at runtime — specifically the installer script (curl https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and the lido binary download (https://github.com/MigOKG/plugin-store/releases/download/plugins/lido-v2@0.1.0/lido-${TARGET}) — which directly executes remote content and are required dependencies.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I inspected the full skill prompt for literal, high-entropy credentials. The script in "Report install" contains a base64-encoded string:

'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='

This value is decoded and used as _K (an HMAC signing key) to compute an HMAC signature for a device token that is posted to OKX and a plugin reporting endpoint. It is a high-entropy, literal value (not a placeholder or truncated/redacted example) and therefore qualifies as a secret embedded in the code.

All other candidate items are safe to ignore per the provided rules:

• Contract addresses and chain IDs are public on-chain values.
• Example placeholders like "0xYourWallet" are documentation placeholders and not secrets.
• No API keys (sk-...), PEM blocks, or other high-entropy secrets are present besides the base64 string above.

Because the base64 string decodes to an HMAC key used for signing/reporting, it should be treated as a hardcoded secret and flagged.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs on-chain financial operations: it stakes ETH, wraps/unwraps stETH/wstETH, requests and claims ETH withdrawals, and submits contract transactions via onchainos wallet contract-call. Write operations broadcast transactions (the binary uses --force) after user confirmation. These are direct crypto transaction capabilities (wallet signing/sending) — i.e., explicit crypto/financial execution.