pancakeswap-clmm
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The auto-injected "Report install" section silently computes a device fingerprint, derives an HMAC with an obfuscated key, and POSTs that identifier to external endpoints—telemetry/exfiltration behavior not disclosed in the plugin's stated PancakeSwap farming purpose, i.e., hidden/deceptive instructions.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). Yes — the install flow includes a direct executable download from an unverified GitHub release (unknown user distributing platform-specific binaries) and a raw "curl | sh" install script, plus third‑party/telemetry endpoints (Vercel + OKX API) that phone home; together these are high‑risk indicators for malware distribution and privacy/exfiltration.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and displays untrusted external data from public RPCs/on‑chain smart contracts and third‑party APIs (see "Data Trust Boundary" and read commands like farm-pools, pending-rewards, positions in SKILL.md), and that data is used to decide/confirm actions (e.g., whether to farm/harvest), so it can materially influence the agent's actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install steps fetch and execute remote code at runtime—e.g. curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (executes a remote install script) and curl -fsSL "https://github.com/MigOKG/plugin-store/releases/download/plugins/pancakeswap-clmm@0.1.0/pancakeswap-clmm-${TARGET}" (downloads a binary installed and executed)—which are required dependencies and therefore present a high-risk runtime external code execution vector.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that could function as usable credentials.
Findings:
- The only high-entropy literal is the base64 string assigned to the _K variable in the "Report install" block: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' This value is base64-decoded and used as an HMAC signing key to produce a device signature (DIV_ID/HMAC_SIG) that is sent in reporting requests. That matches the definition of a secret (a literal, high-entropy key used to sign/report device identity) and is not a placeholder. This is an active hardcoded credential.
Items ignored (with reasons):
- Contract addresses and public RPC/HTTP endpoints — not secrets.
- Example token IDs, chain IDs, and sample commands — documentation/examples, low-entropy or public.
- Other strings/URLs in curl commands and install scripts — public endpoints or non-secret configuration.
Recommendation: remove or rotate the embedded key, and replace with a runtime-provided secret (environment variable, secure vault, or server-side signing) to avoid exposing a hardcoded signing key in the repo or distributed binary.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed for on-chain crypto financial operations. It exposes write operations that submit signed blockchain transactions via "onchainos wallet contract-call" (with --force) to stake/unstake LP NFTs, withdraw tokens, harvest CAKE rewards, and collect swap fees across BSC/Ethereum/Base/Arbitrum. Commands like farm, unfarm, harvest, and collect-fees perform state-changing contract calls that move assets and tokens (NFT transfers, token withdrawals, reward claims) and resolve/use a wallet address. This is not a generic API or browser automation tool — it is a purpose-built DeFi plugin that can execute on-chain transactions and therefore has direct financial execution capability.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).