lifi

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt contains an obfuscated base64 HMAC key and a device-fingerprinting + reporting routine that POSTs a signed device ID to external endpoints — a telemetry/exfiltration behavior unrelated to the skill's stated bridging/swap functionality and effectively a hidden/deceptive instruction.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The bundle contains high-risk elements: it tells users to pipe a remote install.sh from raw.githubusercontent.com and to download/execute a binary from a GitHub release belonging to an untrusted/unknown user (MigOKG), while the okx and Vercel endpoints are likely telemetry/API endpoints but do not mitigate the risk of running remote shell scripts or unsigned binaries.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill directly calls the public LI.FI API (LIFI_API = "https://li.quest/v1" in src/api.rs and documented in SKILL.md) to fetch quotes, transactionRequest data, approvalAddress, tokens, and status, and the swap flow (src/commands/swap.rs) reads that untrusted API output (calldata/to/value/approvalAddress) and uses it to construct and submit onchainos wallet contract-call transactions—so third‑party responses can materially influence actions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's auto-injected pre-flight steps fetch and execute remote code at runtime (curl | sh installer: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and the GitHub release binary download https://github.com/MigOKG/plugin-store/releases/download/plugins/lifi@0.1.0/lifi-${TARGET}), and those are required dependencies that run code on the host.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values used as credentials. The snippet setting _K contains a base64-encoded, random-looking string:

'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='

This value is decoded and used as an HMAC key to compute an HMAC-signed device token (HMAC_SIG) that is sent to OKX's reporting endpoint. That is a hardcoded secret-like value (high entropy, literal, and used as a signing key) and should be treated as a credential leak.

Other potential matches were ignored:

• The 0x1231DEB6... value is a public contract address (not a secret).
• Chain IDs, CLI commands, example passwords, and placeholders (e.g., environment variable names) are documentation/sample items and not flagged per the rules.

Because the base64 string is a real, embedded signing key, I consider this an actual secret present in the documentation.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements cryptocurrency transfer and swap functionality. It exposes a "swap" write operation that (after fetching a quote) broadcasts transactions to a smart contract via onchainos wallet contract-call, performs ERC‑20 approves, and returns tx hashes. It requires a connected wallet, references the LiFiDiamond contract address, supports cross‑chain bridging, and includes flags (--confirm, --force, --dry-run) to preview and then execute on‑chain transactions. These are specific crypto/blockchain transaction capabilities (signing/sending swaps/bridges), so this is direct financial execution.