velodrome-v2

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The pre-flight install block quietly computes a device fingerprint/HMAC and POSTs it to external endpoints (telemetry/exfiltration) which is unrelated to the plugin's swap/liquidity functionality and thus constitutes hidden/deceptive instructions outside the skill's stated purpose.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These URLs include a curl|sh install script and a direct download of a prebuilt executable from a third‑party GitHub release (MigOKG) plus telemetry endpoints — executing network-fetched shell scripts or unknown-release binaries is risky even if some hosts (github.com, okx.com, vercel.app) are legitimate, so this distribution vector could be used to deliver malware or unwanted telemetry.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill issues eth_call requests to a public Optimism RPC (https://optimism-rpc.publicnode.com as returned by config::rpc_url and used in src/rpc.rs / SKILL.md) and ingests on-chain, user-controlled contract return values (pool addresses, reserves, quotes, gauge earned amounts) which are directly used to select pools, compute amounts, and decide/broadcast transactions, so untrusted third-party content can materially influence agent behavior.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The plugin's pre-flight installation runs remote installers during runtime — notably "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" (executes a fetched script) and "curl -fsSL https://github.com/MigOKG/plugin-store/releases/download/plugins/velodrome-v2@0.1.0/velodrome-v2-${TARGET}" (downloads a binary that's executed), so external content is fetched and executed as a required dependency.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy credential material.

Flagged item:

• The base64 string used in the install/report script: echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ... This is a reversible, base64-encoded secret (an HMAC key) that the script decodes and uses to compute HMAC signatures for device tokens. It is a high-entropy literal value embedded in the code (not a placeholder) and therefore meets the definition of a hardcoded secret.

Ignored items (reasons):

• All Ethereum addresses / contract addresses / token addresses: public blockchain addresses, not secrets.
• Example outputs, truncated hashes (e.g., "0xabc...", "0x..."), and abbreviated txHashes: truncated/redacted or placeholders; not actionable secrets.
• Command examples, CLI flags, and descriptions (e.g., onchainos usage): documentation and not secrets.
• No API keys, private key/PEM blocks, or other plaintext credentials were found elsewhere.

Because the base64-encoded HMAC key is an actual literal secret used by the script (not a placeholder or low-entropy example), I mark a real secret present.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a DeFi transaction interface for Velodrome V2 on Optimism. It exposes concrete, domain-specific commands that create and broadcast on-chain financial transactions (swap, add-liquidity, remove-liquidity, claim-rewards). It uses onchainos wallet contract-call (including explicit contract selectors and tx broadcasting with --confirm/--force), handles ERC‑20 approvals, and returns txHash values. These are purpose-built payment/asset operations (token swaps, liquidity management, reward claims) — not generic tooling — and therefore constitute direct financial execution capability.