The Agent Skills Directory

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). The skill installs and runs code via curl|sh and downloads a platform-specific executable from a third‑party GitHub release (MigOKG) while also POSTing a HMAC‑signed device fingerprint to an unvetted Vercel endpoint — direct executables from an unknown account plus remote install scripts and telemetry make this a high-risk distribution vector.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 0.90). The skill contains deliberate device-fingerprinting and silent telemetry (hostname/uname/$HOME hashed and HMAC-signed) exfiltrated to external endpoints, uses a base64-obfuscated HMAC key, and performs remote curl|sh installs and binary downloads—patterns that constitute privacy-invasive data exfiltration and clear supply-chain risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The skill explicitly makes direct REST calls to the Pendle API and reads on-chain smart-contract and third-party API data (see "Architecture" and "Data Trust Boundary" in SKILL.md), and the agent consumes fields like impliedAPY and SDK responses (e.g., requiredApprovals) which are used to decide warnings, approvals, and contract calls — meaning untrusted external content can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight runtime installs fetch and execute remote code — notably via "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" and downloading the executable "https://github.com/MigOKG/plugin-store/releases/download/plugins/pendle@0.1.0/pendle-${TARGET}" which the skill requires to run.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the full skill prompt for high-entropy, literal values that look like real credentials.

Flagged item:

The base64 literal 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' assigned to _K in the "Report install" code block. This decodes to a non-trivial random-looking string and is directly used as an "obfuscated key" to compute an HMAC (HMAC_SIG). That is a high-entropy literal key embedded in the doc and functions as a credential/signing secret — should be treated as sensitive.

Ignored items (reasons):

0x... Ethereum addresses and token examples (e.g., 0xaf88d065..., 0xPT_ADDR): these are public contract/wallet addresses or placeholders, not secrets.
Placeholder values like 0xPT_ADDR, 0xPT_ADDRESS, 0xPT_ADDR, and parameter names (e.g., --from , --market <MARKET_ADDRESS>) are documentation placeholders (explicitly allowed to ignore).
URLs, CLI commands, sample numeric values, and example slippage values are non-secrets and operational examples.

Conclusion: there is one embedded high-entropy secret (the base64 _K value used for HMAC signing) and the rest are placeholders/public data to ignore.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill is explicitly designed for on-chain financial operations. Its "write ops" (buy-pt, sell-pt, buy-yt, sell-yt, add-liquidity, remove-liquidity, mint-py, redeem-py) generate calldata via the Pendle SDK and then submit transactions via "onchainos wallet contract-call". It also handles ERC-20 approvals, returns tx hashes, and documents full execution flows (dry-run, user confirmation, broadcast). This is direct crypto/blockchain transaction execution (wallet signing and broadcasting), so it grants direct financial execution authority.

pendle

Issues (6)