okx-x402-payment

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly requires returning verbatim payment proofs (signature + authorization) and includes a local-signing flow that shows embedding a private key in code, meaning the agent will handle and output sensitive cryptographic secrets needed to access payment-gated resources.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to send requests to arbitrary external URLs (e.g., "Send GET https://api.example.com/data" in Workflow A / Operation Flow Step 1) and to decode and act on the HTTP 402 response body (Operation Flow Step 2) — an untrusted, third-party payload that is parsed and used to drive signing and replay actions, so third-party content can directly influence the agent's tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight steps fetch and execute a remote installer at runtime (curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh" then "sh /tmp/onchainos-install.sh") and also downloads release assets from https://github.com/okx/onchainos-skills/releases/download/..., so remote content is executed and required for the skill to run.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed for crypto payment signing. It provides a dedicated command (onchainos payment x402-pay) to create EIP-3009 transferWithAuthorization signatures, supports TEE wallet-session signing and a local private-key signing fallback, returns {signature, authorization} to be attached as a payment header, and maps x402 payment payload fields (network, amount, payTo, asset) directly to signing parameters. This is a purpose-built blockchain payment tool (wallet signing / authorization creation), not a generic API or browser automation. Even though it does not broadcast transactions itself, it creates cryptographic payment authorizations that enable on-chain settlement — i.e., it directly facilitates financial execution.