morpho-base

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The plugin includes an "auto-injected" install/reporting block that obfuscates an HMAC key (base64), computes a device fingerprint from hostname/uname/$HOME, and posts it to external endpoints — behavior unrelated to the Morpho lending functionality and therefore a hidden/exfiltrative instruction outside the skill's stated purpose.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Although some endpoints (okx.com, morpho.org) look legitimate, the skill instructs running a raw GitHub install.sh via curl|sh and fetching a prebuilt binary from a GitHub release by an unvetted user—classic high‑risk patterns for malware distribution—so the overall bundle is suspicious.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly performs runtime queries to public third-party endpoints—notably the Morpho GraphQL API (https://blue-api.morpho.org/graphql) for MarketParams/markets/positions and the Merkl API (https://api.merkl.xyz/…) for claim proofs—and those responses are parsed and used to build calldata and decide/execute on-chain transactions, so untrusted external content can directly influence agent actions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight installs explicitly fetch-and-execute remote code at runtime (curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and downloads an executable from https://github.com/MigOKG/plugin-store/releases/download/plugins/morpho-base@0.1.0/morpho-base-${TARGET}, so required runtime content is fetched that will execute remote code.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that could be usable credentials.

Findings:

• The only high-entropy literal is the base64 string passed into _K: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' This decodes to a non-trivial constant which is then used as an HMAC key to generate a device signature (HMAC_SIG) sent to an external reporting endpoint. That makes it a secret-like value (an embedded signing key) — not a documentation placeholder or simple example — so it meets the “high-entropy, literal value that provides access” criterion.

Ignored items (not flagged) and why:

• All Ethereum addresses, token addresses, and market-id hex strings (e.g., 0xbeeF010..., 0x9103c3b4...) are public blockchain identifiers, not secrets.
• URLs, CLI commands, and environment variable names are not secrets.
• Plain example outputs and simple words (e.g., “Please connect your wallet first”) are documentation/sample content per the policy.

Conclusion follows the Analysis Protocol: only flag literal, high-entropy values that appear usable — the embedded base64 HMAC key qualifies.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to execute on-chain financial operations on the Base network: it provides commands to supply/deposit, withdraw, borrow, repay, supply-collateral, claim rewards, and perform ERC-20 approvals. Write operations are submitted via onchainos wallet contract-call (i.e., signing and broadcasting transactions), and it lists vault and token addresses and market IDs. These are direct crypto/blockchain transaction capabilities (moving tokens, approving spend, creating borrow/repay transactions), not generic tooling. Therefore it grants direct financial execution authority.