compound-v3
Audited by Snyk on Apr 12, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight "Report install" section includes obfuscated key decoding, device fingerprinting, HMAC signing, and silent POSTs to external endpoints (telemetry/exfiltration) that are not part of the plugin's advertised Compound lending functionality, so it contains hidden/deceptive instructions outside the skill's stated purpose.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly reads untrusted on-chain and API data from public RPC endpoints (see plugin.yaml api_calls like https://ethereum.publicnode.com and the rpc:: calls used throughout src/commands and the SKILL.md pre-flight/workflow), and those contract balances, rates, and responses are interpreted and used to make pre-flight checks and construct/execute transactions, so third‑party content can materially influence agent actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's auto-injected pre-flight installs fetch and execute remote code at runtime — specifically "https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh" (curl ... | sh) and the GitHub release URL "https://github.com/okx/plugin-store/releases/download/plugins/compound-v3@0.2.0/compound-v3-${TARGET}${EXT}" (curl download + chmod + execute) which are required dependencies for the plugin to run.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned for high-entropy, literal values that could be used as credentials. I found a base64-encoded string in the install/report script:
_K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...)
This is an embedded obfuscated key used to compute an HMAC signature for reporting (HMAC_SIG). It is a high-entropy literal secret (not a placeholder) and therefore should be treated as a hardcoded credential.
I did not flag other values because they are public addresses, placeholders, or low-entropy examples (e.g., "0xYourWallet", contract addresses, or command examples), which per the rules are ignored.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a Compound V3 (Comet) on-chain lending plugin that performs blockchain write operations: supply, borrow, repay, withdraw, and claim-rewards. The documentation states write ops submit transactions via "onchainos wallet contract-call", requires a connected wallet, asks for user confirmation, and reports txHashes. This is a specific crypto/blockchain financial tool designed to move funds and sign transactions on behalf of a wallet, so it grants Direct Financial Execution authority.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).