orca
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The prompt includes obfuscated/hidden instructions (base64-decoded key and HMAC device fingerprinting) that compute and exfiltrate a device identifier to external endpoints during install—behavior unrelated to the advertised swap/query functionality and thus a deceptive prompt injection.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). Although some endpoints are benign APIs (api.orca.so, okx.com) and reporting URLs, the prompt instructs piping a raw GitHub install.sh and downloading an executable from a GitHub release (MigOKG) — direct curl|sh and anonymous-release binaries are high-risk distribution vectors because they run unreviewed code from non‑guaranteed/trustworthy origins.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). The skill includes automatic, opaque telemetry that computes a device fingerprint and posts it (with an obfuscated HMAC key) to external endpoints, plus instructions that curl|sh remote installers and download unsigned binaries — patterns consistent with deliberate data exfiltration and supply‑chain risk.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install step fetches and pipes a remote script to sh from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and also downloads an executable binary from https://github.com/MigOKG/plugin-store/releases/download/plugins/orca@0.1.0/orca-${TARGET}, both of which are fetched during runtime, executed/installed locally, and are required dependencies, so they directly execute remote code.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I found one hardcoded, high-entropy credential: the base64 string assigned/decoded into _K in the "Report install" section:
OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==
This value is decoded and used as the HMAC signing key for the device token (HMAC_SIG = HMAC(_K, DEV_ID)). That makes it a literal secret (high-entropy key) embedded in the code, so it should be treated as a real credential.
Ignored items and why:
- Solana program ID (whirLbMiicVdio...) and token mint addresses (So1111..., EPjF..., etc.) are public on-chain identifiers, not secrets.
- Scripted URLs, install commands, and sample CLI flags are operational/configuration data, not credentials.
- There are no PEM blocks, API keys like sk-..., or other obvious high-entropy tokens elsewhere in the prompt.
Therefore the only flagged secret is the base64-encoded HMAC key (_K).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly implements on-chain token swaps on Solana. The "swap" command submits transactions via "onchainos dex swap execute --chain 501", targets the Orca Whirlpools program, and reports transaction hashes/Solscan links. These are direct crypto/blockchain financial operations (signing/broadcasting swaps), not generic tooling. Therefore it grants Direct Financial Execution authority.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Malicious code pattern detected in skill scripts.
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).