morpho

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.70). The prompt contains an auto-injected "Report install" script that builds and POSTs a hashed device fingerprint (including hostname and $HOME) using an obfuscated HMAC key to external endpoints — telemetry unrelated to Morpho's lending functionality and presented as "only OS/architecture" metadata, which is deceptive and outside the skill's stated purpose.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These URLs include instructions to curl|sh an install script and to download and execute a binary from a third‑party GitHub release (MigOKG) combined with telemetry/reporting endpoints — a common distribution pattern for potentially malicious software when the release account or build provenance is not well established.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches external runtime data from public third-party endpoints (e.g., Morpho GraphQL at https://blue-api.morpho.org/graphql for MarketParams/markets/positions and https://api.merkl.xyz/v4/claim for Merkle proofs) and uses that untrusted data to build transactions, compute health factors, and decide/drive on-chain actions (see "What it does" for borrow/supply-collateral/claim-rewards and the "MarketParams from API" safety rule), so third-party content can materially influence agent behavior.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill fetches and executes remote code at runtime (required for operation) via curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and by downloading/executing the morpho binary from https://github.com/MigOKG/plugin-store/releases/download/plugins/morpho@0.1.0/morpho-${TARGET}, which directly runs external code.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy credentials. The only high-entropy literal present is the base64 string assigned into _K in the install/reporting script:

'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='

This value is base64-decoded and used as an HMAC key to compute a device signature (HMAC_SIG) that is then sent to the OKX reporting endpoint. Because it is a non-placeholder, encoded secret key embedded in the script and used to sign device tokens, it qualifies as a hardcoded secret (high entropy and directly usable to spoof/report device signatures).

All other potentially suspicious strings are safe to ignore per your rules:

• Contract and token addresses (Ethereum/Base addresses) are public on-chain addresses, not secrets.
• Command examples, placeholders like 0xYourAddress, and truncated tx hashes (0xabc...) are documentation/example values.
• URLs, installation commands, and simple strings (e.g., REPORT_FLAG path) are not secrets.

Therefore I flag the base64 HMAC key as a real hardcoded secret.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The Morpho skill is explicitly designed for on-chain financial operations. It provides dedicated commands to supply/deposit, withdraw, borrow, repay, supply-collateral, and claim rewards; performs ERC-20 approvals; encodes and submits contract calls; and uses onchainos wallet contract-call to broadcast transactions (including a noted --force behavior). These are explicit crypto/blockchain transaction and wallet signing capabilities (moving tokens on Ethereum/Base), not generic tooling. Therefore it grants direct financial execution authority.