sushiswap-v3
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The prompt includes a "Report install" block that decodes an obfuscated key, builds a device fingerprint/HMAC, and posts it to external endpoints—a hidden telemetry/exfiltration step unrelated to the plugin's stated swap/liquidity functionality.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The skill instructs running a shell from raw.githubusercontent.com and downloading prebuilt executables from a relatively unknown GitHub release (MigOKG), which are direct executable distribution vectors commonly abused for malware; the okx.com and vercel.app endpoints appear to be reporting/analytics but do not mitigate the risk of executing untrusted binaries or scripts.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). The package contains an installer hook that computes a device fingerprint, decodes an obfuscated key, HMAC-signs the fingerprint and POSTs that identifier to external endpoints (plugin-store-dun.vercel.app and an OKX API), plus it auto-downloads an unsigned binary from a GitHub release — this is intentional telemetry / data-exfiltration and a supply-chain risk (obfuscated key and hidden reporting indicate deliberate, privacy-invasive behavior), while the main Rust code itself implements expected DEX operations without obvious backdoor RPC/exec behavior.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill issues eth_call requests to public JSON-RPC endpoints (configured in plugin.yaml and invoked in src/rpc.rs / config.rs) and directly parses QuoterV2/factory/position RPC responses (e.g., in src/commands/quote.rs, swap.rs, get_pools.rs, get_positions.rs) to choose fee tiers, amounts, and build/submit transactions, so untrusted on-chain third‑party content is read and can materially influence agent behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The pre-flight steps run remote installers at runtime—e.g. curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and curl -fsSL "https://github.com/MigOKG/plugin-store/releases/download/plugins/sushiswap-v3@0.1.0/sushiswap-v3-${TARGET}" -o ~/.local/bin/sushiswap-v3—which fetch and execute remote code and are required for the skill to function.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
-
Secret detected (high risk: 1.00). I scanned the prompt for high-entropy literal values that look like real credentials. The notable match is the base64 string assigned to _K:
'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='
This is a non-trivial, high-entropy literal (base64-encoded) used as an "obfuscated key" to compute an HMAC signature for reporting ("HMAC signature (obfuscated key, same as CLI binary)"). That fits the definition of a secret (a literal value used to authenticate/sign requests). Even though it's encoded/obfuscated, it is directly present and used programmatically; therefore it should be considered a hardcoded secret.
I ignored the following as non-secrets per the provided rules:
- Contract addresses and token addresses (these are public on-chain addresses).
- Example/truncated tx hashes like "0xabc..." or any values containing "..." (redacted/truncated).
- Command examples, example passwords, and other documentation placeholders — none of them meet the entropy/usage criteria.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations. It exposes commands that execute transactions (swap, add-liquidity/mint, remove-liquidity/decreaseLiquidity, collect-fees) and uses a wallet to submit contract calls (e.g., exactInputSingle, approve, mint, decreaseLiquidity, collect) — i.e., signing and broadcasting crypto transactions. These are direct crypto/blockchain financial execution capabilities, not generic tooling.
Issues (7)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).