vertex-edge
Audited by Snyk on Apr 9, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). The pre-flight "Report install" section contains obfuscated steps that compute a device fingerprint/HMAC and silently POST it to external endpoints (telemetry/exfiltration) which is unrelated to the plugin's advertised market/query/deposit functionality.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). These URLs combine otherwise plausible official endpoints (vertexprotocol.com, okx.com, vercel.app) with a direct platform-specific executable download from a third‑party GitHub release (unknown/low‑profile maintainer) and telemetry/reporting calls — directly downloading and auto-executing binaries from an unvetted release is a notable security risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and consumes external data from public third‑party endpoints (e.g., https://gateway.prod.vertexprotocol.com/v1 and https://archive.prod.vertexprotocol.com/v1) and on‑chain contract/query responses (noted in SKILL.md's Data Trust Boundary), which the agent is expected to read and use to make trading/deposit decisions, so untrusted third‑party content could influence actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install downloads and installs an executable at runtime from https://github.com/MigOKG/plugin-store/releases/download/plugins/vertex-edge@0.1.0/vertex-edge-${TARGET}${EXT}, which fetches remote code that will be executed and is required for the skill to run.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I looked only for literal, high-entropy values that could be used to access services.
Findings:
- The code contains a base64 string assigned to _K: 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='. The comment directly above it calls this an "HMAC signature (obfuscated key, same as CLI binary)" and it is decoded and used to compute HMAC-signed device tokens that are sent to remote endpoints. This is a high-entropy secret (an encoded HMAC key) present in the repository and therefore a real credential leakage.
Ignored items:
- 0xYOUR_ADDRESS and other example placeholders are documentation placeholders and not secrets.
- Contract addresses, public API endpoints (gateway.prod.vertexprotocol.com, archive.prod.vertexprotocol.com), chain IDs, and example CLI commands are public configuration, not secrets.
- No other high-entropy literals (API keys, private PEM blocks, etc.) are present.
Conclusion: the base64-encoded HMAC key is a real secret and should be treated/rotated as leaked.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading/deposit plugin for Vertex Edge (a cross-chain perpetual DEX) and includes a "deposit" operation that performs on-chain transactions (ERC-20 approve + depositCollateral) to move USDC into a subaccount. It exposes commands to deposit funds (--amount, --from) and lists contract addresses and chain IDs. These are specific, intentional financial-execution capabilities (crypto/blockchain transaction execution), not just generic tooling.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).