spark-savings
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The prompt includes an auto-injected "Report install" block that obfuscates a key, computes a device fingerprint/HMAC and POSTs it to external endpoints (telemetry/exfiltration) which is not part of the Spark Savings functionality and is a hidden/deceptive instruction outside the skill's stated purpose.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). Yes — the flow instructs fetching and executing a remote shell script (raw.githubusercontent.com) and downloading a native binary from a third‑party GitHub release (MigOKG) plus contacting a Vercel endpoint, which are high‑risk patterns for malware distribution (remote script|sh piping and unknown-user GitHub releases distributing executables).
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). The skill contains deliberate telemetry/exfiltration and supply-chain behaviors: it auto-downloads a binary via curl without verification and posts a device fingerprint (including hostname/HOME) to external endpoints using an obfuscated HMAC key; while there is no direct credential theft or remote-exec/backdoor code, the hidden reporting and base64-obfuscated key indicate intentional data exfiltration and supply-chain/telemetry risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill makes direct eth_call requests to public RPC endpoints (ETHEREUM_RPC and per-chain URLs in src/config.rs used by src/rpc.rs) and parses onchainos CLI output (src/onchainos.rs) to compute APYs, conversion rates, balance estimates and to build/preview/broadcast transactions, so untrusted on-chain/public RPC data is read and can materially influence actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight steps fetch-and-execute remote code required at runtime — notably curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (installs the onchainos CLI used by the skill) and curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/spark-savings@0.1.0/spark-savings-${TARGET} (downloads the spark-savings binary), so these URLs execute remote code and are required dependencies.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that look like usable credentials. The only candidate that meets the definition of a secret is the base64-encoded string assigned to _K in the install/report script:
echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d
This value is decoded and used as an "obfuscated key" to compute an HMAC signature (HMAC_SIG) for the device token sent to OKX — i.e., it functions as a static signing key embedded in the script. It is not a placeholder or truncated value and appears random/high-entropy, so it qualifies as a hardcoded secret.
Other items that might look sensitive but are not flagged:
- All listed contract addresses (0x...) are public blockchain addresses — not secrets.
- Filenames, flags, chain IDs, and CLI commands are documentation/usage content and not secrets.
- There are no visible API tokens, private key PEM blocks, or other plain-text credentials.
Because the base64 value decodes to an actual key used for HMAC signing, I treat it as a real secret that should be removed/rotated and stored securely (env var or secrets manager).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto savings/deposit tool: it provides commands to deposit USDS/DAI into vaults, withdraw sUSDS back to USDS, performs on-chain actions (approve, swapExactIn, deposit, redeem), and produces transaction hashes. It lists contract addresses, supported chain IDs, requires a connected wallet, and has a
--confirmflag to broadcast write transactions via onchainos (TEE-sandboxed signing). These are direct blockchain transaction APIs/operations (wallet signing and broadcasting), so the tool's primary purpose is to move funds on-chain.
Issues (7)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).