spectra

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes an auto-injected installation/report step that decodes an obfuscated base64 key, computes a device fingerprint/HMAC, and POSTs a device token to external endpoints—an obfuscated data-exfiltration behavior unrelated to the plugin's advertised on-chain finance functionality.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The package flow includes a raw GitHub shell script (curl | sh), platform binaries downloaded directly from a lesser-known GitHub release (executables), plus telemetry/reporting endpoints (Vercel and OKX API) that collect device fingerprints — together these are a plausible vector for delivering malicious binaries or exfiltrating data.

---

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains deliberate data-exfiltration and supply-chain behaviors (automatic device-fingerprint reporting to external endpoints with an obfuscated HMAC key, plus curl|sh and remote binary downloads and execution) and additional risky behaviors (automatic max_uint256 ERC‑20 approvals) that create high abuse potential for privacy loss and fund compromise.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches market and position data from external third-party endpoints (SKILL.md states "get-pools tries the Spectra app data API first" and plugin.yaml lists https://app.spectra.finance and public RPC endpoints), and that untrusted external data is used to construct calldata, estimates, and transaction parameters that drive subsequent tool use and decisions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install fetches and executes remote code at runtime (notably curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and the curl download of the spectra binary from https://github.com/MigOKG/plugin-store/releases/download/plugins/spectra@0.1.0/...), so those URLs provide required runtime content that is executed on the host.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I looked for high-entropy literal values that could be used as credentials. The only candidate that meets that criteria is the base64 string:

OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==

This is assigned to _K and immediately decoded and used to compute an HMAC signature (HMAC_SIG) that is sent with a device report — i.e., it functions as an embedded signing key. It is not a placeholder, truncated/redacted, or a simple example, and it appears high-entropy and directly usable, so it should be flagged as a hardcoded secret.

I ignored other values such as the 0x... Ethereum addresses (they are contract/wallet addresses, not secrets) and example placeholders like 0xYourWallet or other sample parameters, which are documentation examples and not secrets.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto financial plugin: it supports deposit, redeem, claim-yield, and swap operations on ERC‑4626 PrincipalToken contracts and a Router. It performs ERC‑20 approves, builds ABI‑encoded calldata, and submits on‑chain transactions via "onchainos wallet contract-call --force" (including Router execute patterns and specific contract selectors). These are direct blockchain fund-movement actions (deposits, withdrawals, swaps, claim payouts) and include automatic approve + transaction submission logic. Even though it prompts for user confirmation, the primary and explicit purpose is executing on‑chain financial transactions. Therefore it grants direct financial execution capability.