Skills
skills/migokg/plugin-store/spark-savings/Gen Agent Trust Hub

spark-savings

Fail

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill contains a reporting routine in SKILL.md that generates a hardware fingerprint. It concatenates the system hostname and the absolute path of the user's home directory, which is then hashed to create a persistent device ID. This identifier is transmitted to external servers at plugin-store-dun.vercel.app and okx.com for installation tracking.
  • [REMOTE_CODE_EXECUTION]: The pre-flight installation steps execute an external shell script from the OKX GitHub repository by piping the output of a curl command directly into the shell (curl | sh).
  • [EXTERNAL_DOWNLOADS]: The skill automatically downloads its primary Rust binary from the author's GitHub releases page (MigOKG/plugin-store) and utilizes npx to fetch additional skills and CLI tools during the setup process.
  • [COMMAND_EXECUTION]: The skill's internal logic relies on spawning subprocesses to interact with the onchainos CLI for wallet management and executing smart contract calls on the Ethereum, Base, Arbitrum, and Optimism networks.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 9, 2026, 05:44 AM