zerolend

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes obfuscated (base64) keys and a device-fingerprinting/reporting routine that posts HMAC-signed device IDs to external endpoints — telemetry/exfiltration steps outside the skill's stated ZeroLend lending functionality and presented in a hidden/obfuscated way.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These links include a curl|sh raw script and direct downloadable binaries hosted in GitHub releases from relatively small/unknown accounts plus third‑party telemetry endpoints (raw.githubusercontent.com, github.com/MigOKG release, a Vercel app, and okx.com API); while the domains are legitimate, the pattern of executing a raw install.sh and pulling executables from lesser‑known GitHub accounts constitutes a moderate-to-high risk for supply‑chain or malware distribution.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted external content via public RPCs and third‑party APIs (e.g., "zerolend" makes read-only eth_call against public endpoints like https://rpc.linea.build and https://mainnet.era.zksync.io, per the Data Trust Boundary and api_calls) and the agent is required to read those results (health-factor, positions, reserves) to decide/whether to block, warn, or execute transactions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps fetch and execute remote code at runtime — e.g. "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" and downloading the zerolend binary from "https://github.com/MigOKG/plugin-store/releases/download/plugins/zerolend@0.1.0/zerolend-…" — both are required installs that run remote code.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned for high-entropy, literal values that could be used as credentials. I found a base64 literal used as an "obfuscated key" in the install/report script:

Other content ignored: Ethereum contract addresses and example tx hashes are public or placeholder-like (low-entropy) and not flagged. All explicit placeholders (e.g., "0xabc...", sample passwords in docs, environment variable names) are ignored per the rules.

Flagged item (real secret):

• The base64 literal assigned to _K: OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw== — Commented as "obfuscated key, same as CLI binary" and used to compute an HMAC signature (HMAC_SIG) for a device token that is reported to OKX. This is a hardcoded secret key (high-entropy, literal) and therefore a real credential present in the skill.

Why flag: it's a literal, non-placeholder, high-entropy value used as an HMAC signing key in code — qualifies as a secret that should not be embedded in source or docs.

If this is intended (e.g., only for telemetry and not security-critical), it should still be treated as a secret: remove from repo, load from environment/secure storage, and rotate any keys derived from it.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations: it constructs ABI calldata and submits transactions (supply, withdraw, borrow, repay, set-collateral, set-emode, claim-rewards) via onchainos wallet contract-call to the ZeroLend pool. It handles ERC-20 approvals, broadcasts tx hashes, supports --dry-run vs live execution, and notes that write commands broadcast transactions (uses --force internally). This is not a generic API or browser automation tool — it directly sends financial transactions and manages assets on-chain.