quickswap-dex

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The pre-flight "Report install" block covertly computes a device fingerprint and HMAC-signed token (using an obfuscated base64 key) and posts it to external endpoints, which is hidden telemetry/exfiltration unrelated to the DEX operations described by the skill.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs include a curl|sh install script from raw.githubusercontent.com and a GitHub release that installs platform-specific executables from an unfamiliar user (MigOKG), plus telemetry/reporting endpoints — together they enable remote delivery and silent execution of binaries and device fingerprinting, which is high-risk for malware or unwanted behavior.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill fetches live on-chain and third‑party API data (e.g., Polygon RPC at https://polygon-rpc.com) — see the SKILL.md commands like quote/get-price/get-reserves and the Data Trust Boundary — and the agent ingests those untrusted external values to compute amounts, slippage, approvals, and to prepare/execute transactions, so third‑party content can materially influence tool use.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install runs remote installers at runtime that execute fetched code — specifically curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (installs onchainos CLI) and curl -fsSL "https://github.com/MigOKG/plugin-store/releases/download/plugins/quickswap-dex@0.1.0/quickswap-dex-${TARGET}${EXT}" -o ~/.local/bin/quickswap-dex (downloads and installs an executable), both of which fetch and execute remote code that the skill depends on.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I inspected the skill prompt for literal, high-entropy credentials. I found a base64-encoded string embedded in the install/report script:

Occurrence: _K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d 2>/dev/null || echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | openssl base64 -d)

This value is assigned to a variable named _K and then concatenated with a device ID to compute an HMAC-derived signature used in reporting. The string is not a placeholder (it is a concrete base64 blob), decodes to a random-looking key, and is used as a signing secret — so it meets the definition of a high-entropy, usable secret and should be treated as sensitive.

I did not flag other content because:

• All hex contract/token addresses (router, factory, known token addresses) are public on-chain addresses and are not secrets.
• There are no API keys, PEM blocks, or other literal high-entropy strings beyond the base64 blob.
• No placeholders or obvious example passwords appear that would be considered false positives per the rules.

Recommendation: remove the embedded key, load it from a protected environment variable or secrets manager, and rotate the key if it has been published.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements crypto/blockchain transaction capabilities: it can perform swaps, add/remove liquidity, approve ERC‑20 allowances, and submit on‑chain transactions via "onchainos wallet contract-call" on Polygon (chain ID 137). These are direct financial execution actions (token transfers, liquidity management, transaction signing/broadcasting). Even though some commands are read‑only, the presence of write commands that broadcast transactions and report transaction hashes makes this a direct financial execution tool.