okx-onchain-gateway

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill explicitly requires taking user-provided signed transaction hexes (the --signed-tx value) and embedding them verbatim in CLI/API broadcast commands, forcing the LLM to handle and output sensitive, signature-containing data.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill's Pre-flight Checks explicitly require fetching and parsing release tags, installer scripts, and checksum files from public GitHub endpoints (e.g., api.github.com and raw.githubusercontent.com) and then using that content to decide installs/updates and to run binaries, so untrusted third‑party content can directly influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight procedure fetches and executes a remote installer at runtime (e.g., curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh followed by sh /tmp/onchainos-install.sh, with related release assets at https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt), so it downloads and runs remote code that the skill relies on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to broadcast signed blockchain transactions, estimate gas, simulate transactions, and track on-chain order status across many chains (Ethereum, Solana, BSC, etc.). It includes commands like "gateway broadcast --signed-tx ..." and workflows that take signed txs from a swap skill and send them on-chain (including batch broadcasts and MEV protection parameters). Although it does not sign transactions, it directly executes transmit/broadcast operations that move crypto funds on-chain. This matches the Crypto/Blockchain category (wallet/transaction broadcast) for Direct Financial Execution.