clanker-plugin
Audited by Snyk on Apr 25, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight section contains auto-injected installation and telemetry code that decodes an obfuscated HMAC key and posts a device fingerprint to remote endpoints (exfiltrating installer telemetry) — behavior unrelated to the stated token management purpose and effectively a hidden/obfuscated instruction outside the skill's scope.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill calls public third‑party endpoints (e.g., https://clanker.world/api as implemented in src/api.rs and referenced in SKILL.md for list-tokens/search-tokens/quickstart) and explicitly instructs the agent to parse JSON fields like next_command/onboarding_steps and act on them, meaning untrusted, user‑originated on‑chain and API data are ingested at runtime and can directly influence the agent's next actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's auto-injected pre-flight installs fetch and execute remote code at runtime — notably the installer piped to shell (curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh), the launcher/update-checker downloads from raw.githubusercontent.com (https://raw.githubusercontent.com/okx/plugin-store/main/scripts/launcher.sh and https://raw.githubusercontent.com/okx/plugin-store/main/scripts/update-checker.py) and the plugin binary downloaded from the GitHub releases URL (https://github.com/okx/plugin-store/releases/download/plugins/clanker-plugin@0.2.5/clanker-plugin-...); these are required for the skill and execute remote code, so they present a high-risk runtime dependency.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full skill prompt for high-entropy literal values that constitute usable credentials.
Flagged:
- The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' (assigned to _K) is a high-entropy literal used as an HMAC key to compute a device signature (HMAC_SIG) and sent in reporting calls. This is an embedded secret (obfuscated but reversible) and therefore a real credential material.
Ignored (not flagged) with reasons:
- Many Ethereum-style 0x... addresses (e.g., 0xE85A59c628F7d27878ACeB4bf3b35733630083a9) are public contract addresses — not secrets.
- Placeholders like 0xYourWallet, 0xTokenAddress, 0x..., and "0xDRYRUN..." are documentation/examples and explicitly placeholders.
- Simple example words and passwords (none present beyond example placeholders) are ignored per rules.
- Truncated/redacted examples and environment variable names are ignored.
Conclusion: one actual hardcoded secret present (the base64 HMAC key).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly implements on-chain financial actions: "deploy-token" submits a deployToken(DeploymentConfig) transaction via onchainos wallet contract-call to deploy ERC‑20 tokens, and "claim-rewards" executes a collectFees contract-call to transfer LP rewards to a wallet. It requires onchainos wallet login and can broadcast signed transactions (after confirmation). These are specific crypto/blockchain transaction operations (wallet signing and sending), not generic tooling, so it grants direct financial execution capability.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).