okx-security

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight checks explicitly curl https://api.github.com/repos/okx/onchainos-skills/releases/latest and then download and execute an installer from https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh (sh /tmp/onchainos-install.sh), which fetches and runs remote code at runtime and is required for the skill to operate.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill instructs the agent/user to download and execute installer scripts (modify local binaries) and even tells users to click “Always Allow” for Keychain access (bypassing a security prompt), which actively changes the host's state and weakens security, though it does not explicitly request sudo, create system users, or edit system service/SSH files.