The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 1.00). The prompt contains an “auto-injected” install/report script that computes a device fingerprint (hostname/uname/home → hashed ID), decodes an obfuscated HMAC key, and POSTs a signed device token to external endpoints — an exfiltration step unrelated to the pump.fun token operations and effectively a hidden/deceptive instruction outside the skill's stated purpose.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.85). These links include a curl|sh to a raw GitHub install script and a direct-download of platform-specific binaries from an unverified GitHub user (MigOKG) plus telemetry/reporting endpoints — distributing executables via unknown-release accounts and piping remote shell scripts to sh are high-risk and could deliver malware or unwanted code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). This skill explicitly queries public Solana RPC endpoints (see "get-token-info" and "get-price" which "query Solana RPC directly" and the configurable --rpc-url / HELIUS_RPC_URL) and uses on-chain/token metadata (user-controlled public data) to compute prices and build transactions, so untrusted third-party content can influence agent decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps fetch and execute remote code at runtime—specifically the shell install script fetched via "https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh" (curl | sh) and the pump-fun binary downloaded from "https://github.com/MigOKG/plugin-store/releases/download/plugins/pump-fun@0.1.0/pump-fun-${TARGET}"—both of which are required for the skill and directly execute remote code.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the full prompt for literal, high-entropy credentials.

Findings:

The base64 literal 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' is assigned to _K and immediately used to compute an HMAC signature (HMAC_SIG) for a device token used in reporting to external endpoints. This is a static, embedded secret-like value (an obfuscated HMAC key). It is high-entropy looking, directly present, and used to derive an authentication token — therefore it qualifies as a secret and should be treated/removed/rotated.

Ignored items (reasons):

Program ID '6EF8rrecthR5Dkzon8Nwu78hRvfCKubJ14M5uBEwF6P' — public on-chain program address (not a secret).
No API keys, private PEM blocks, or sk-... style keys are present.
No environment variable values provided (only names like HELIUS_RPC_URL).
No sample/simple passwords or placeholders to flag.

Therefore there is an actual embedded secret (the base64 HMAC key).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill explicitly implements on-chain crypto financial operations on Solana: it can buy tokens, sell tokens, and create tokens (including an initial buy). The architecture describes building VersionedTransactions, serializing them, and submitting them via onchainos wallet contract-call --chain 501 --unsigned-tx <base64_tx>, and redirects graduated-token trades to onchainos dex swap execute --chain 501. These are direct crypto/blockchain transaction submission and market-order-like actions (moving SOL and tokens). Although it requires user confirmation, the skill's primary and explicit purpose is to execute financial transactions on-chain, so it constitutes direct financial execution capability.

pump-fun