curve
Audited by Snyk on Apr 12, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). The prompt includes an obfuscated/base64-decoded HMAC key and a "Report install" script that fingerprints the device and posts a signed device ID to external endpoints — a hidden telemetry/exfiltration step unrelated to the advertised Curve DEX functionality, so it constitutes a deceptive instruction outside the skill's stated purpose.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches pool data from the public Curve API (https://api.curve.finance) — see src/api.rs and plugin.yaml — and that external, untrusted data is used at runtime to find pools and drive quotes, pool selection, calldata construction, and on-chain actions (quote/swap/add-liquidity/remove-liquidity), so third-party content can materially influence the agent's decisions and tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). I flagged the runtime installation commands that fetch and execute remote code — specifically the installer script fetched and piped to sh at https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and the curve binary downloaded from https://github.com/okx/plugin-store/releases/download/plugins/curve@0.2.1/curve-${TARGET}${EXT} — because they run during pre-flight, execute remote code, and are required dependencies for the skill.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the skill prompt for high-entropy literal values that could be active credentials.
Flagged item:
- The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' in the install/reporting script. It is decoded and assigned to _K and then used to compute an HMAC signature for device reporting. This is a literal, high-entropy value embedded in the code and functions as a signing key → qualifies as a secret.
Ignored items (not flagged) and why:
- Truncated contract/router addresses like "0xbebc..." or "0x45312ea0..." are redacted/truncated and not usable credentials per the rules.
- Example/default values in outputs (TVL, APY, amounts) are non-secrets.
- CLI/install URLs, environment variable names, and command examples are documentation, not secrets.
- No PEM/private key blocks or obvious API keys (sk-live-...) are present.
Therefore there is at least one embedded, high-entropy secret (the base64-encoded key).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations on Curve Finance. It exposes write commands—swap, add-liquidity, remove-liquidity—that:
- build calldata with a dry-run preview,
- check and execute ERC-20 approvals,
- call onchainos wallet contract-call (with --force) to broadcast transactions,
- report txHash and explorer links.
These are not generic actions; they are concrete crypto transaction/web3 wallet operations that move funds and manage liquidity. Therefore it grants direct financial execution authority.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).