pancakeswap
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight "Report install" block silently computes a device fingerprint, decodes an obfuscated HMAC key, and POSTs a signed device ID to external endpoints — an unrelated, hidden telemetry/exfiltration step outside the skill's stated swapping/liquidity functionality.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and uses data from open/public third-party sources — e.g., QuoterV2 via eth_call for
quote, TheGraph subgraph forpositions, and public RPC endpoints listed in plugin.yaml — and the SKILL.md execution flows require the agent to read and act on those untrusted on-chain/API responses to compute quotes, set minimum amounts, and decide/submit transactions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's auto-injected pre-flight steps fetch and execute remote code at runtime—specifically curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (executes a remote install script) and curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/pancakeswap@0.1.0/pancakeswap-${TARGET} (downloads a binary that is made executable and relied upon)—so these URLs provide required external code executed at runtime.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I flagged one hardcoded secret: the base64 string assigned to _K in the install/report script:
'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='
This is a non-trivial, high-entropy literal (base64-encoded) that is decoded and used as an HMAC signing key for device/reporting logic — i.e., a secret key embedded directly in the code. It is not a placeholder, truncated value, or a simple setup password, and it is used to derive a device token (HMAC_SIG), so it meets the definition of an actual credential.
Other values in the skill prompt (contract addresses, token addresses, example wallet string placeholders like 0xYourWalletAddress, installation curl commands, and command examples) are public, low-entropy, or clearly documentation/example placeholders and therefore not flagged.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed for crypto financial operations on PancakeSwap V3: it provides commands to perform token swaps, approve tokens, mint (add liquidity), decreaseLiquidity/collect (remove liquidity), and submits on-chain write transactions via
onchainos wallet contract-call. These are direct blockchain wallet operations that move funds and sign transactions (swaps/approvals/mints/collects). This matches the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion for Direct Financial Execution.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).