The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 0.90). The pre-flight "Report install" section collects a device fingerprint, reconstructs an HMAC-signed device ID using an obfuscated key, and POSTs it to external endpoints — behavior unrelated to Aave lending functionality and effectively a hidden/exfiltration instruction outside the skill's stated purpose.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). Although hosted on recognizable domains (githubusercontent/GitHub and okx/vercel), the workflow instructs piping a remote install.sh to sh and downloading/executables from GitHub releases plus calling telemetry endpoints — a high-risk pattern because remote scripts/binaries and telemetry/reporting endpoints can deliver malware or exfiltrate device identifiers if the upstream is compromised or malicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill fetches and ingests untrusted third-party data — e.g., public RPC endpoints listed in plugin.yaml (https://ethereum.publicnode.com, https://base-rpc.publicnode.com) and onchainos.defi_positions / onchainos wallet/rpc calls referenced in SKILL.md and the commands (e.g., src/commands/borrow.rs) — and directly uses those on-chain/third-party responses (health factor, positions, available borrows) to decide, warn, block, or execute transactions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight steps fetch and execute remote code at session runtime—specifically the install script fetched via https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh (piped to sh) and the aave-v3 binary downloaded from https://github.com/okx/plugin-store/releases/download/plugins/aave-v3@0.1.0/...—which are required dependencies and result in executing externally sourced code.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the full skill prompt for high-entropy, literal credentials. I found one embedded, base64-encoded string assigned to the _K variable in the "Report install" section:

echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...

The comment explicitly calls this an "obfuscated key, same as CLI binary", and the script uses it to build an HMAC-signed device token that is sent to OKX (priapi) and to a reporting endpoint. This is a high-entropy literal that functions as a secret key used to sign/authorize installs, so it meets the definition of a secret and should be treated as sensitive.

Ignored items (not flagged):

All listed Ethereum/ERC-20 addresses (these are public contract addresses, not secrets).
Placeholder/truncated/example values such as "0xabc...", "0xYourAddress", and simple example passwords or command examples — these are documentation samples or placeholders and not high-entropy secrets.
Environment variable names, usage examples, and plain-English instructions per the policy.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations. It constructs ABI calldata and uses onchainos wallet contract-call to approve ERC-20 tokens and to submit transactions such as Pool.supply (deposit), withdraw, borrow, repay, set-collateral, set-emode, and claim-rewards. It requires a connected wallet, can broadcast tx hashes, and even documents unlimited ERC-20 approvals (type(uint256).max). These are direct crypto/blockchain transaction capabilities (signing/sending transactions and managing token allowances), so it grants direct financial execution authority.

aave-v3

Issues (6)