okx-agentic-wallet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to accept and use sensitive values (verification codes and to display/confirm API keys) and to embed them verbatim in CLI commands (e.g., onchainos wallet verify <code> and "show both keys to the user"), which requires the LLM to handle and output secret values directly, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's mandatory preflight (/_shared/preflight.md Step 1–3) instructs the agent to fetch live release metadata and installer scripts from public GitHub endpoints (https://api.github.com and raw.githubusercontent.com) and to download/verify and potentially execute installers based on that content, so it consumes untrusted, public third‑party data that can materially influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The shared preflight step fetches release metadata from https://api.github.com/repos/okx/onchainos-skills/releases/latest and then downloads and executes an installer from https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh at runtime (curl ... -o ... then sh /tmp/onchainos-install.sh), so remote content is fetched and executed and is required for the skill's setup.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto wallet/transaction manager for OKX Agentic Wallet. It defines concrete commands to send native and ERC‑20/SPL tokens (onchainos wallet send), perform contract calls (onchainos wallet contract-call), manage gas payment via Gas Station (setup/enable/disable/update-default-token), sign messages/transactions (TEE signing, personalSign, EIP‑712), view balances/history, and export/import actions. These are specific on‑chain financial execution primitives (wallet transfers, contract interactions, signing/broadcasting txs), not generic tools. Therefore it grants direct financial execution authority.