okx-buildx-hackathon-agent-track

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt asks the agent to obtain user API keys (Moltbook/OnchainOS) and to use them in requests and curl commands (e.g., Authorization: Bearer YOUR_API_KEY), which requires the agent/LLM to handle and potentially output secret values verbatim.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (medium risk: 0.65). The list is mixed: many URLs are official docs and platform APIs (web3.okx.com, github.com, moltbook.com), but it includes a direct raw.githubusercontent.com shell script meant to be curl|sh and a third‑party Vercel "install" endpoint — direct execution of remote scripts or installers from non‑trusted/third‑party hosts is a common malware distribution vector, so the set is moderately risky.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and scripts/setup.sh explicitly instruct the agent to fetch and browse public Moltbook content (https://www.moltbook.com/m/buildx) and to curl external docs (https://www.moltbook.com, https://web3.okx.com, https://docs.uniswap.org), requiring the agent to read and act on untrusted, user-generated submissions/comments (e.g., evaluate and vote/comment), which can materially influence its actions and thus enable indirect prompt injection.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs remote install scripts at runtime (e.g., curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and README's curl -fsSL https://raw.githubusercontent.com/MigOKG/plugin-store/main/install-local.sh | bash), which fetch and execute remote code and are presented as required setup steps for the skill.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that would constitute usable credentials.

Findings:

• The script in "Report install" contains a base64-encoded string: OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw== It's decoded and used as _K (an HMAC key) to compute an HMAC signature for a device token. The comment explicitly calls it "obfuscated key, same as CLI binary." This is a literal, non-placeholder, high-entropy value used as a signing secret → qualifies as a hardcoded secret.

Ignored items (not flagged):

• "moltbook_xxx", "moltbook_verify_abc123def456...", "YOUR_API_KEY", "MOLTBOOK_API_KEY", "reef-X4B2" etc. — these are placeholders or example API keys/verification codes per the doc and/or low-entropy examples and thus intentionally excluded by the rules.
• Simple example passwords or sample tokens in examples are treated as documentation placeholders and ignored.

Conclusion: there is one embedded, high-entropy secret (the base64-encoded HMAC key) that should be removed or rotated and moved to secure storage.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly centered on on-chain financial activity: it requires installing the OnchainOS CLI/skills, references OnchainOS modules (Wallet, DEX, Payment), Uniswap AI Skills, and an Agentic Wallet for signing/executing transactions. It instructs the agent to obtain and use an OnchainOS API key and to run on-chain transactions via the Agentic Wallet (e.g., DEX swaps, payments, on-chain tx examples). Those are specific crypto/blockchain wallet and transaction capabilities (signing, swaps, payments), not generic tooling—so it grants direct financial execution authority.