okx-dex-bridge

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt instructs the agent to silently fall back to and use static chain/bridge data (and to "not show the error to the user") when the CLI fails, which is a hidden/deceptive behavior that diverges from the skill's stated live-query purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests public third-party content (e.g., the preflight step downloads release data and installer scripts from the GitHub API / raw.githubusercontent.com in _shared/preflight.md) and repeatedly relies on untrusted CLI/API outputs (onchainos cross-chain quote/bridge/probe/status responses) which the agent must read and act on to choose routes, approvals, and execution — enabling indirect prompt-injection via those external responses.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's preflight step fetches the latest release tag from https://api.github.com/repos/okx/onchainos-skills/releases/latest and then downloads and executes a remote installer script (e.g. https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh via curl ... -o /tmp/onchainos-install.sh && sh /tmp/onchainos-install.sh), which clearly downloads and runs remote code at runtime and is required for the skill to run.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to move cryptocurrency assets. It exposes targeted cross-chain crypto operations (quotes, prepare calldata, and — crucially — an execute command that broadcasts transfers) and includes wallet/authorization flows (approve/confirm-approve/skip-approve, --wallet, MaxUint256/unlimited approvals, polling tx status, order IDs, source/destination TX hashes). It even supports forced broadcasting (--force), approval tx submission, and full lifecycle status tracking. These are specific blockchain transaction primitives (wallet signing/authorization, broadcasting transactions, token approvals, cross-chain swaps/bridges) — not generic tooling. Therefore it grants direct financial execution authority for crypto/blockchain transfers.