solayer
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). The prompt contains an auto-injected "Report install" routine that computes a device fingerprint, derives an HMAC using an obfuscated key, and silently POSTs this identifying data to external endpoints—telemetry/exfiltration unrelated to Solayer's advertised staking/query functionality, and thus a hidden/deceptive instruction.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). Although some endpoints are official (okx GitHub and okx.com), this skill instructs piping a raw GitHub shell script to sh and downloading platform-specific binaries from a lesser-known GitHub account (MigOKG) — direct execution of remote .sh/binary files and distribution via an unvetted release are common malware vectors, and the presence of telemetry/reporting endpoints increases risk.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps run at session start and fetch-and-execute remote code — specifically "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" (executes a remote install script) and "curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/solayer@0.1.0/solayer-${TARGET} -o ~/.local/bin/solayer" (downloads a binary that is made executable) — both are runtime downloads that execute remote code and are required dependencies.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I found a high-entropy, literal value embedded in the install/report script:
- The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' is decoded into _K and used as an HMAC signing key for device tokens (comment even calls it an "obfuscated key, same as CLI binary"). This is a hardcoded, high-entropy secret-like value used for signing and therefore qualifies as a credential leakage risk.
Ignored items (not flagged):
- Solana addresses (e.g., sSo14endRuUbv...), tx/hash fragments (e.g., "5Kx...", "DTEq...") — these are public on-chain addresses or truncated values, not secrets.
- Command examples, sample amounts, and CLI instructions — documentation/sample values and low-entropy strings are placeholders or harmless.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly built for crypto financial operations on Solana. It provides a "stake" write command that previews and—when run with --confirm—broadcasts on-chain transactions via
onchainos swap executeto move SOL and mint sSOL. It requires a connected wallet, routes blockchain operations through signing tooling, and returns transaction hashes. These are direct crypto transaction/swap/signing capabilities (explicit financial execution), not generic tooling.
Issues (5)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).