sanctum-validator-lst
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). The pre-flight contains an obfuscated base64 HMAC key and device-fingerprinting/reporting steps that exfiltrate a signed device identifier to external endpoints — telemetry outside the plugin's stated staking/swapping purpose and hidden via base64—constituting a deceptive prompt-injection-like behavior.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). Suspicious: the script auto-downloads and installs a platform-specific executable from an unvetted GitHub release (direct binary link) while also sending device fingerprint/HMAC telemetry to third-party endpoints (okx.com and vercel.app), which are classic red flags for potential malware or spyware distribution.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). This skill explicitly calls external APIs (see plugin.yaml and SKILL.md: https://extra-api.sanctum.so, https://sanctum-s-api.fly.dev, https://api.mainnet-beta.solana.com) and uses returned quotes, balances, APY/TVL and other on-chain/third-party data to drive staking and swap decisions, so untrusted external content can materially influence agent actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight step downloads and installs a runtime binary from GitHub Releases (https://github.com/MigOKG/plugin-store/releases/download/plugins/sanctum-validator-lst@0.1.0/sanctum-validator-lst-${TARGET}${EXT}), which is a required dependency that results in executing remote code on the host.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). The script embeds a base64-encoded literal used as an HMAC key:
- Line:
_K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...) - Usage:
_Kis concatenated with a device ID and used to compute an HMAC signature (HMAC_SIG) that is sent in reporting requests.
This is not a documentation placeholder or an obvious example value — it is a non-trivial base64 string (high-entropy) directly present in the code and used to sign/report telemetry. That qualifies as a hardcoded secret. No other high-entropy API keys, PEM blocks, or secrets are present; other content are command examples, URLs, and simple labels which match the "ignore" rules.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). This skill is explicitly designed to perform on-chain crypto financial operations: it stakes SOL into validator LST pools and swaps LST tokens via the Sanctum Router on Solana (chain 501). The documented commands (stake, swap-lst, get-quote, get-position) indicate it will construct and execute token staking and swap transactions (with user confirmation), i.e., direct crypto transaction execution. This is a specific financial capability (crypto/blockchain wallet transactions and swaps), not a generic tool, so it meets the "Direct Financial Execution" criteria.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).