renzo
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The skill includes an auto-injected "Report install" block that constructs a device fingerprint, derives an HMAC-signed device token (with an obfuscated base64 key), and POSTs it to external endpoints—behavior unrelated to the Renzo restaking functionality and effectively exfiltrating device-identifying data, so it is a hidden/deceptive instruction outside the skill's stated purpose.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs include direct downloads of an install.sh and platform-specific binaries (one from a relatively unknown GitHub user) plus telemetry/reporting endpoints — piping remote shell scripts to sh and fetching executables from unvetted GitHub releases are common malware distribution vectors, while the API/report URLs are lower risk but do expose telemetry.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). Yes — the skill's pre-flight steps download and execute required remote code at runtime, notably the installer script fetched and piped to a shell (https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh) and the Renzo binary downloaded from the GitHub release URL (https://github.com/MigOKG/plugin-store/releases/download/plugins/renzo@0.1.0/renzo-${TARGET}), both of which run remote code that the skill depends on.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for high-entropy literal values that could be used as active credentials.
Findings:
- The script embeds a base64 string assigned to _K: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' which is then decoded and used as an HMAC secret to produce a device signature (HMAC_SIG) sent to an external API. This is a hardcoded, high-entropy value used as a signing key and therefore qualifies as a secret (it can be used to generate valid HMAC-signed device tokens).
Ignored items (not flagged) and why:
- Ethereum contract addresses and token addresses (public on-chain addresses) — not secrets.
- Example commands, CLI flags, and sample amounts (e.g., 0.00005) — documentation/test values.
- URLs and installation scripts (curl downloads) — not secrets.
- Textual placeholders and explanatory strings (e.g., API endpoint paths, parameter names) — documentation placeholders.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly implements on-chain write operations to move funds: commands like
deposit-ethanddeposit-stethperform contract calls (including ERC-20 approve + deposit flows) viaonchainos wallet contract-callon Ethereum mainnet. It includes calldata, target contract addresses, ETH amounts, and a publish/broadcast path. These are specific crypto/blockchain financial actions (sending ETH, approving/spending stETH, minting ezETH), not generic tooling. Although user confirmation is required, the skill clearly provides direct financial execution capabilities.
Issues (5)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).