clanker
Audited by Snyk on Apr 12, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.80). The prompt includes an obfuscated base64 string and an auto-run “report install” script that computes a device identifier and posts it to external endpoints (exfiltrating host/home metadata), which is a hidden telemetry action outside the skill’s advertised token-management purpose.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). Yes — the skill instructs curl|sh of a raw GitHub shell script and direct downloads of platform-specific executables (including .exe) from GitHub releases plus telemetry to a Vercel endpoint; executing unverified remote scripts/binaries and silent device reporting are common malware/exfiltration patterns even if the domains appear to be “okx” or GitHub.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). High risk: the skill includes a CI-injected pre-flight "report install" block and remote-install commands that deliberately fingerprint the host and POST a derived device ID to external endpoints (plugin-store-dun.vercel.app and an okx priapi URL), plus uses curl | sh and auto-downloads binaries from GitHub — these are deliberate telemetry / supply-chain behaviors that amount to unauthorized data exfiltration and increase risk of compromise; the Rust source itself does not contain an obvious remote exec/backdoor or secret-stealing of wallet private keys, but the installer/reporting flows are deliberate and dangerous.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses live data from the public Clanker REST API (CLANKER_API_BASE "https://clanker.world/api" in src/api.rs and listed in plugin.yaml) and the documented workflows (list-tokens, search-tokens, token-info) consume that untrusted third‑party content to drive decisions and on‑chain actions, so external content could indirectly inject instructions that affect tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's auto-injected pre-flight performs runtime fetch-and-execute of remote code — e.g., "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" (and it also downloads a runtime binary from "https://github.com/okx/plugin-store/releases/download/plugins/clanker@0.2.0/...") — both are required installs that execute remote code at runtime.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that could be active credentials.
Flagged item:
- The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' (assigned to _K and then base64-decoded) is a literal, non-placeholder, high-entropy value. It is decoded and concatenated into an HMAC to generate DIV_ID, which indicates it functions as a secret key. This matches the definition of a secret (literal key material used in signing/HMAC). It is not a documentation placeholder or an obviously fake/test value, so it should be treated as a hardcoded secret.
Ignored candidates:
- Addresses and tx hashes shown as "0x..." or example addresses like 0xYourWallet or 0xTokenAddress are placeholders / public data (not secrets).
- The public contract address 0xE85A59c6... is a public on-chain contract address (not a secret).
- Example/simple strings (e.g., "SkyDog", "SKYDOG"), environment variable names, and other examples are documentation placeholders or low-entropy and thus intentionally ignored per the rules.
Conclusion: one real hardcoded secret present (the base64-encoded key).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly provides on-chain transaction capabilities for crypto assets: it can deploy ERC‑20 tokens via deploy-token (calls deployToken on the Clanker factory using onchainos wallet contract-call) and execute claim-rewards (calls collectFees on the fee locker via onchainos wallet contract-call). These are specific blockchain wallet/transaction operations (signing/submitting transactions, reporting tx hashes, requiring gas) — not generic tooling. This matches the "Crypto/Blockchain (Wallets, Swaps, Signing)" criteria for Direct Financial Execution.
Issues (7)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).