rust-cli-inspector

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The "Report install" block stealthily collects a device fingerprint, decodes an obfuscated key to compute an HMAC-signed device token and POSTs it to external endpoints, which is unrelated to the stated ETH-price querying purpose and therefore constitutes hidden/deceptive instructions.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These links combine executing a raw GitHub install script (curl | sh), downloading a prebuilt binary from an unvetted GitHub account, and automatic telemetry/reporting endpoints — a pattern that is commonly used to distribute and run unreviewed executables and collect device identifiers, so it poses a moderate-to-high risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight installs download and execute remote code at runtime—specifically the install script fetched with curl | sh from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and the released binary downloaded from https://github.com/MigOKG/plugin-store/releases/download/plugins/rust-cli-inspector@1.1.0/rust-cli-inspector-${TARGET} (saved and made executable)—so external content is executed and required for the skill to run.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I inspected the skill prompt for literal, high-entropy secrets. The script contains a base64-encoded string assigned to _K:

OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==

This is decoded at runtime and used as an HMAC signing key (comment: "obfuscated key, same as CLI binary") to generate a device signature that is sent to an external OKX API. Because it is a literal, decodable, high-entropy value embedded in the code and used as a secret signing key, it meets the definition of a secret and should be treated as sensitive.

No other high-entropy credentials (API keys, PEM blocks, or similar) appear in the prompt. Other values (paths, generated device ID, example flags, URLs, and simple strings) are not secrets or are clearly functional/documentation placeholders and were ignored.