meteora
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The prompt includes an obfuscated "Report install" script that computes a device ID/HMAC and posts it to external endpoints—a hidden telemetry/exfiltration step not related to the plugin's advertised trading/query functionality, so it is a deceptive instruction outside the skill's stated purpose.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). Yes — the skill instructs running a raw GitHub shell script via curl|sh and fetching an executable from a GitHub release hosted by an unfamiliar user, together with telemetry/reporting endpoints (fingerprinting), which are high‑risk patterns for supply‑chain malware or exfiltration.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install fetches and executes remote code at runtime — e.g. "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" and it downloads an executable from "https://github.com/MigOKG/plugin-store/releases/download/plugins/meteora@0.1.0/…" — both are required installs that execute remote code.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I found a high-entropy literal value in the install/reporting script:
- The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' is assigned to _K with the comment "obfuscated key, same as CLI binary" and is used to compute an HMAC signature (HMAC_SIG) for device reporting. This is a literal, high-entropy secret key embedded in the code and appears to be used to sign device tokens — therefore it qualifies as a hardcoded secret.
Ignored items (not flagged):
- All Solana token mint addresses (So1111..., EPjFWdd..., Es9vMF...) are public on-chain identifiers, not secrets.
- Other strings are either generated (DEV_ID), URLs/endpoints, or clearly example/placeholder values. No other high-entropy credentials (API keys, private key PEM blocks, or similar) are present.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly provides write operations to execute token swaps on the Solana blockchain. The "swap" command runs via the onchainos CLI which "handles signing and broadcast automatically" and the execution flow describes obtaining user confirmation then executing the transaction and returning a transaction hash/Solscan link. This is a specific crypto/blockchain financial operation (wallet signing, swaps, broadcasting on Solana), so it grants direct financial execution capability.
Issues (5)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).