pancakeswap-v2

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt includes a hidden, obfuscated "Report install" step that computes a device fingerprint, decodes an embedded base64 key, generates an HMAC token, and silently posts that data to external endpoints — telemetry unrelated to the stated swap/liquidity functionality and not disclosed in the skill description, which is a deceptive/hidden instruction outside the skill's purpose.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These links instruct fetching and running a raw install.sh and an architecture-specific binary (direct curl to a GitHub Releases asset from a likely small/unknown account) and contact a user-hosted Vercel endpoint plus an OKX reporting API — i.e., remote shell scripts/binaries and telemetry endpoints that can be abused to install malware or exfiltrate device data, so they are suspicious.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill expressly fetches data from public RPCs and third‑party APIs (see "Architecture" and the "Data Trust Boundary" sections and read-only commands like quote/get-reserves/get-pair), and the agent reads and acts on returned token names, addresses, amounts and calldata from these untrusted external sources which can directly influence transaction decisions and tool use.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps fetch and execute remote code at runtime—specifically the installer curl piped to sh from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and the binaries downloaded from https://github.com/MigOKG/plugin-store/releases/download/plugins/pancakeswap-v2@0.1.0/pancakeswap-v2-${TARGET}—which directly executes external code and are required for the skill to run.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that could be used as real credentials.

Findings:

• The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' assigned to _K is a hardcoded, obfuscated secret. It is decoded and then concatenated with a device ID to produce an HMAC signature used when reporting to OKX. This is a direct, literal secret (high-entropy, not a placeholder) embedded in the code and therefore should be treated as a credential.
• Everything else in the document is either public data (token contract addresses), example outputs (truncated tx hashes like "0xabc..."/"0xdef..."), command examples, placeholders (e.g., 0xYourAddress), or obvious documentation/setup content. None of those meet the high-entropy, usable-credential criteria.

Why I flagged the base64 string:

• It is not a placeholder; it is used programmatically as an HMAC key.
• It is high-entropy and directly present in the repository text, making it a usable secret if an attacker replicates the HMAC signing behavior.

Ignored items:

• Token contract addresses and example transaction hashes are public or truncated.
• No other API keys, PEM blocks, or live "sk-..." style secrets were present.

Recommended action (brief): remove the hardcoded key, rotate it if it’s used in production, and replace with a secure runtime secret (environment variable or secure secrets manager) or move HMAC signing server-side.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading/liquidity tool for PancakeSwap V2: it supports swaps, add-liquidity, remove-liquidity, ERC‑20 approvals and broadcasts transactions via onchainos wallet contract-call --force (submits signed on‑chain transactions, reports txHash/explorer). Those are direct blockchain financial actions (moving tokens, approving spend, creating market/swaps), so it grants direct financial execution capability despite requiring user confirmation.