okx-agentic-wallet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to display API keys (e.g., "show both keys to the user and ask to confirm the switch") and to embed user-provided OTP/API key values in commands (e.g., onchainos wallet verify <otp> / onchainos wallet login flows), which requires emitting secret values verbatim and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The Pre-flight Checks explicitly instruct the agent to call the public GitHub API and download installer and checksum files from raw.githubusercontent.com / github.com/releases (e.g., the install.sh and checksums in Step 1–2), which are open/public third‑party assets the agent fetches and acts on (including executing the installer), so untrusted content could materially influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight step fetches and executes a remote installer at runtime (e.g. curl "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" → sh /tmp/onchainos-install.sh), which runs remote code and is required for the skill to function, so it is a high-risk runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto wallet agent with built-in transaction execution: it supports authenticated wallet login and management, balance queries, and — critically — token transfers and smart-contract calls (commands like onchainos wallet send and onchainos wallet contract-call). The docs describe collecting params, confirming, signing in a TEE, and executing/broadcasting transactions (showing txHash, explorer links). It even supports MEV-protection flags and payable contract calls. These are specific, purpose-built financial execution capabilities for crypto on-chain transfers and contract interactions (not generic tooling), so it grants direct financial execution authority.