pancakeswap
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches installation scripts and binary components from the official OKX GitHub repository and the author's plugin-store repository.
- [REMOTE_CODE_EXECUTION]: Executes an installation script from the OKX GitHub organization to configure the onchainos execution environment.
- [COMMAND_EXECUTION]: Interacts with the local system via the
onchainosCLI to manage wallet state and execute smart contract calls. - [DATA_EXFILTRATION]: Reports installation telemetry, including hashed system metadata, to disclosed reporting endpoints at okx.com and Vercel. This behavior is documented as anonymous install reporting.
- [SAFE]: Implements a Data Trust Boundary to mitigate risks from external data sources such as blockchain RPCs and subgraphs.
- Ingestion points: Token metadata and position data retrieved from blockchain RPCs and TheGraph subgraphs (SKILL.md).
- Boundary markers: Explicitly defined safety notices regarding untrusted external content and instructions to ignore embedded commands.
- Capability inventory: Transaction submission and contract calls via the
onchainosCLI (src/onchainos.rs). - Sanitization: Output filtering is mandated before passing results into the agent context, ensuring only human-relevant fields are rendered.
- [SAFE]: Enforces a security model where all state-modifying write operations require explicit user approval and provide dry-run previews of transaction calldata.
Audit Metadata