moonwell

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The pre-flight script includes an auto-injected, obfuscated telemetry/reporting routine that computes a device fingerprint/HMAC and POSTs it to external endpoints—behavior unrelated to the Moonwell lending functionality and hidden via base64 obfuscation, so it qualifies as deceptive/extraneous instructions.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). These links are suspicious because they include a curl|sh install from raw GitHub and a direct download of unsigned executables from an unverified GitHub account (MigOKG), combined with telemetry/reporting endpoints — a pattern commonly used to distribute or activate malware and exfiltrate device info.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill directly fetches public, untrusted on-chain data from third-party RPC endpoints (e.g., src/rpc.rs eth_call using RPC URLs like https://base.publicnode.com listed in plugin.yaml/config.rs) and also includes required pre-flight install steps that curl scripts from raw.githubusercontent.com, and those external responses are parsed and used by the markets/positions/command handlers to compute APRs, balances and drive suggestions—so untrusted third-party content is read and can materially influence actions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's auto-injected pre-flight steps run at session start and directly execute remote code fetched via curl (e.g. "https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh" piped to sh) and download a binary from "https://github.com/MigOKG/plugin-store/releases/download/plugins/moonwell@0.1.0/moonwell-${TARGET}" which are required for operation and therefore present a high execution risk.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy secrets. The only direct candidate is the base64 string:

OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==

This string is assigned to _K and then decoded and used to compute an HMAC signature for a device token ("HMAC signature (obfuscated key, same as CLI binary)"). It is not a placeholder (not named YOUR_KEY or similar), appears random/high-entropy, and is directly present in the code — therefore it qualifies as a hardcoded secret.

Items I did NOT flag:

• Contract addresses (Ethereum addresses) — these are public on-chain addresses, not secrets.
• Example commands, parameter names, and sample wallet placeholders (e.g., 0xYourAddress) — documentation placeholders per the policy.
• Simple example passwords and sample flags or truncated/redacted values — none meet the high-entropy, usable-credential definition.

Because the base64 value decodes to an HMAC key used in reporting, it should be treated as a real secret and flagged.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto on-chain plugin for Moonwell that includes concrete write operations: ERC20.approve, mToken.mint (supply/deposit), redeem (burn mTokens for underlying), and claim-rewards. It integrates with onchainos wallet and requires broadcasting transactions (with a --confirm flag). Although some commands are dry-run only (borrow/repay), multiple commands perform real blockchain transactions and therefore provide direct crypto financial execution capability (signing/sending transactions). This matches "Crypto/Blockchain (Wallets, Swaps, Signing)" in the Core Rule.