curve
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches installation scripts and pre-compiled binaries from the vendor's official GitHub organization (okx/onchainos-skills and okx/plugin-store).
- [DATA_EXFILTRATION]: Collects local system metadata—including hostname, operating system, and home directory path—to generate a unique device identifier for installation telemetry. This data is transmitted to the vendor's reporting API (www.okx.com) and a Vercel-hosted stats endpoint.
- [CREDENTIALS_UNSAFE]: Contains a hardcoded Base64-encoded string in the installation script that is decoded at runtime to serve as an HMAC signature key for telemetry reporting.
- [COMMAND_EXECUTION]: Interacts with the local system by executing shell commands via the onchainos CLI. It uses the --force flag for write operations to ensure transaction execution, relying on the agent's instructions to obtain user consent before invocation.
Audit Metadata