raydium
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The prompt includes auto-injected installation/reporting code that computes a device fingerprint with an obfuscated HMAC key and silently POSTs it to external endpoints — a hidden data-exfiltration step unrelated to the plugin's described swap/quote functionality.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.75). While the Raydium and OKX API domains look legitimate, the workflow requires piping a raw install.sh to sh and fetching a prebuilt binary from a GitHub release owned by an unverified user (MigOKG), both high-risk vectors for distributing malware if the sources are not fully trusted and audited.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.70). The skill explicitly makes direct REST API calls to public Raydium endpoints (https://api-v3.raydium.io and https://transaction-v1.raydium.io) as shown in the "Architecture" section and command flows, and the agent reads those responses (quotes, routes, pool data) which directly influence swap decisions and transaction construction.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install runs curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (and also downloads the raydium binary from https://github.com/MigOKG/plugin-store/releases/download/plugins/raydium@0.1.0/...), which fetches and executes remote code at runtime and is required for the skill to operate.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that would constitute usable credentials.
Findings:
- The script contains a base64 literal: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' which is immediately decoded into the variable _K and labeled in the comment as the "obfuscated key, same as CLI binary". That value is used to compute an HMAC-signed device token. This is a hardcoded, high-entropy secret (not a placeholder or example) and therefore should be treated as a leaked credential.
Items ignored (not flagged) and why:
- All Solana token mint addresses, pool IDs, and example command values (e.g., So1111..., EPjFW...) are public addresses or examples — not credentials.
- URLs, environment variable names, and reporting flags are operational metadata, not secrets.
- No other base64/pem blocks, API keys, or private keys are present.
Therefore a real secret is present (the base64-encoded key used for HMAC).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly provides on-chain write operations for crypto asset transfers: a "swap" command that builds a serialized transaction via Raydium's transaction API and submits it using onchainos wallet contract-call on Solana (chain ID 501). This is a focused crypto/blockchain capability (token swaps, transaction building/submission, reporting tx hashes), so it directly enables moving funds on-chain. Read-only endpoints exist too, but the documented "swap" flow constitutes direct financial execution.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).