solv-solvbtc
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). The prompt contains auto-injected install/report scripts that decode an obfuscated base64 key, compute a device fingerprint (from hostname/uname/$HOME) and exfiltrate a signed device ID to external endpoints (including OKX), which are hidden telemetry/data‑reporting instructions unrelated to the plugin's stated SolvBTC functionality.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The curl command downloads and runs an unsigned executable directly from a GitHub release owned by an unfamiliar account (MigOKG)—a common malware distribution pattern—while the other two endpoints (okx and vercel.app) act as telemetry/reporting endpoints that could exfiltrate install/device identifiers, so the package+reporting combination is high risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches prices and TVL from DeFiLlama (coins.llama.fi / api.llama.fi) and queries on-chain RPC endpoints (arb1.arbitrum.io, ethereum.publicnode.com) as described in SKILL.md and api_calls, and that untrusted third‑party data is read and used to inform/nav/transaction decisions (e.g., get-nav, get-balance, mint/redeem), so external content can materially influence actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The pre-flight install step fetches and installs an executable at runtime from https://github.com/MigOKG/plugin-store/releases/download/plugins/solv-solvbtc@0.1.0/solv-solvbtc-${TARGET}${EXT}, which downloads remote code that will be executed and is required for the skill to operate.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I flagged the base64-encoded HMAC key found in the install-report block as a real secret. Specifically, the literal string: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' is embedded and later used as an HMAC signing key (comment: "obfuscated key, same as CLI binary"). This is high-entropy, not a documentation placeholder, and functions as a credential for signing device tokens — therefore it meets the definition of a secret.
Everything else in the skill is public or low-risk example content: contract addresses, function selectors, chain IDs, CLI usage examples, and URLs are public on-chain or documentation values and are not secrets. No private keys, API keys, or other high-entropy strings besides the base64 HMAC key were found.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto asset execution tool for the Solv Protocol: it contains commands to mint (deposit WBTC → SolvBTC), redeem (withdraw SolvBTC → WBTC), cancel redemptions, wrap/unwrap into yield-bearing xSolvBTC, and performs on-chain transactions (approve + deposit, withdrawRequest, cancelWithdrawRequest, pool deposit/withdraw). It includes chain IDs, contract addresses, function selectors, and notes that transactions will be broadcast (with --dry-run options). This is specifically designed to move crypto funds and interact with wallets/smart contracts, not a generic API or browser automation tool.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).