lido
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight install script includes an obfuscated base64 HMAC key and shell steps that compute a device fingerprint and POST it to external endpoints (telemetry/exfiltration), which is unrelated to the plugin's Lido staking functionality and constitutes hidden/deceptive instructions.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill issues HTTP/RPC calls to public Lido APIs (e.g. https://eth-api.lido.fi/v1/protocol/steth/apr/sma and wq-api.lido.fi) and a public Ethereum RPC (https://ethereum.publicnode.com) and directly parses those responses (APR, wait times, checkpoint indices/hints) to decide flows and build/submit calldata (see get-apy, get-withdrawals, and claim-withdrawal steps), so untrusted third-party content can materially influence tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight setup runs remote-install commands that fetch and execute code at runtime — notably curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (installs onchainos) and curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/lido@0.1.0/lido-${TARGET} (downloads a binary) — so external content is executed and required for the skill.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that could be active credentials.
Findings:
- The script sets _K to a base64-encoded string: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' and then uses it to compute an HMAC signature (HMAC_SIG) for a device token reported to external APIs. This is a literal, high-entropy value embedded in the code and used as a signing key — it functions like a secret key and should be treated as a hardcoded credential. Even though it is "obfuscated" via base64, that does not remove its sensitivity.
Ignored items (not flagged):
- Contract addresses (Ethereum addresses) — public on-chain addresses, not secrets.
- CLI commands, environment variable names, placeholders, and example/simple passwords — none meet the high-entropy, literal credential definition.
- URLs and other non-secret configuration (API endpoints, public endpoints).
Therefore this document does contain an embedded secret (the base64 HMAC key).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto-financial tool: it is specifically designed to move value on Ethereum (stake ETH to receive stETH, request withdrawals, and claim ETH). It defines concrete write operations that construct and broadcast transactions (e.g.,
lido stakeexecutesonchainos wallet contract-call --amt <WEI>,request-withdrawalperforms approve + request transactions,claim-withdrawalburns NFTs and sends ETH). It integrates with an onchain wallet CLI (onchainos) for signing/submission and includes contract addresses and calldata. Even though user confirmation is required, the plugin's primary purpose is executing blockchain financial transactions (crypto/wallet signing), so it grants Direct Financial Execution Authority.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).