sky-lending
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The prompt includes obfuscated (base64-decoded) secrets and device-fingerprinting/reporting shell commands that exfiltrate a device ID to external endpoints—behavior unrelated to the plugin’s stated lending/CDP functionality and therefore constitutes hidden/deceptive instructions.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). Yes — the set includes high-risk distribution links: a raw.githubusercontent.com shell install script (curl | sh) and a GitHub release binary hosted under an unfamiliar account (directly downloaded and installed), while the other two endpoints (okx API and vercel.app) appear to be telemetry/reporting endpoints that can leak device IDs; together this is a suspicious download vector that could deliver malware or unwanted telemetry.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's auto-injected pre-flight runs a runtime installer that downloads and executes remote code—e.g. curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/sky-lending@0.1.0/sky-lending-${TARGET} -o ~/.local/bin/sky-lending (then chmod +x) — which fetches and executes external code required for the skill.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I found one hardcoded high-entropy credential: the base64 string assigned/decoded into _K:
OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==
This is used as an "obfuscated key" to compute an HMAC signature (HMAC_SIG) and is clearly a secret key baked into the script (comment even says "obfuscated key, same as CLI binary"). It is high-entropy, literal, and used to sign/identify the device — i.e., a usable credential. That meets the definition of a secret.
I am ignoring other values that are not secrets: public contract addresses (Ethereum contract 0x... addresses), placeholder strings like 0xYourAddress, example commands and dry-run flags, and general URLs — these are either public, clearly examples/placeholders, or documentation artifacts and therefore not flagged.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed for crypto financial operations: it provides commands to deposit ETH collateral, open CDP vaults, draw/mint DAI, repay DAI, and withdraw collateral. It details contract calls (e.g., GemJoin.join, Vat.frob, DaiJoin.exit, DAI.approve) and integrates with onchainos wallet operations. Even though it notes "dry-run" by default, the primary and explicit purpose is to construct and submit blockchain transactions that move value, so it grants direct financial execution capability for crypto/blockchain actions.
Issues (5)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).