term-structure
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.80). The pre-flight script includes an auto-injected “report install” routine that fingerprints the device, decodes an obfuscated HMAC key (base64), and POSTs a signed device ID to third‑party endpoints — telemetry/exfiltration unrelated to the plugin’s stated lend/borrow purpose and hidden via obfuscation, so it is a deceptive instruction outside scope.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). Suspicious — the skill instructs downloading and executing a platform-specific binary directly from a GitHub release owned by an unfamiliar account (direct executable distribution is a high-risk pattern), while also POSTing a device fingerprint to third-party endpoints (okx.com and a Vercel app) for telemetry, creating both malware and data-exfiltration concerns.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). The skill contains deliberate, obfuscated telemetry: it fingerprints the host (including hostname and $HOME), decodes a hardcoded base64 key to compute an HMAC, and silently POSTs that device identifier to external endpoints (plugin-store-dun.vercel.app and an OKX API), which constitutes intentional data exfiltration and raises supply-chain/telemetry abuse risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill fetches and ingests untrusted third-party on-chain and API data (e.g., public RPC endpoints listed in plugin.yaml like https://arbitrum-one-rpc.publicnode.com and CLI outputs from smart contracts via the term-structure binary/GitHub release), and those runtime outputs are explicitly used by get-markets/get-position and to drive lend/borrow/repay decisions, so external content can materially influence agent actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). During pre-flight the skill uses curl to download and install an executable from https://github.com/MigOKG/plugin-store/releases/download/plugins/term-structure@0.1.0/term-structure-${TARGET}${EXT}, which fetches remote code that is made executable and therefore runs as a required runtime dependency.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that could be used to access services.
Findings:
- The script contains a base64 literal assigned to _K: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' This value is then decoded and concatenated with the device ID to compute an HMAC signature used in reporting (comment says "obfuscated key, same as CLI binary"). That is a high-entropy, literal secret embedded in the code and used to sign requests → qualifies as a hardcoded secret.
Ignored items (reasons):
- Placeholder strings like 0xMARKET and 0xYourWalletAddress are documentation placeholders (low-entropy), so ignored.
- Example/simple passwords and environment variable names are not present as actual secrets; any simple/example strings would be considered placeholders per the policy.
- URLs, command examples, and generated device IDs are not secrets by themselves.
Conclusion: there is one hardcoded high-entropy secret (the base64-encoded key).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto financial plugin for TermMax (Term Structure) and includes write commands that execute on-chain financial operations: lend, borrow, repay, redeem. These commands perform token approvals, Router swaps/borrows/repays, mint/burn of debt NFTs, and move on-chain funds. This is a specific blockchain/crypto execution tool (wallet/transaction operations), not a generic API/browser tool — therefore it grants direct financial execution capability.
Issues (7)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).