gmx-v2-plugin
Audited by Snyk on Apr 25, 2026
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches runtime data from public GMX APIs and RPC endpoints (see plugin.yaml api_calls and SKILL.md's "Market addresses: Fetched dynamically from GMX API at runtime" and installer curl steps), and that external on‑chain/API output is consumed by the agent to build commands and decide next actions (e.g., quickstart, get-prices, list-markets, and dry-run flows), so untrusted third-party content can materially influence tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps fetch and run remote installers/launchers at runtime — for example it executes "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" (and similarly downloads launcher.sh and a GitHub release binary) which runs remote code and are required dependencies for the plugin to operate.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the skill for high-entropy, literal credentials. Most candidate strings are safe to ignore: EVM addresses (0x...), version numbers, example wallet placeholders (0xYourWallet), and simple example passwords or truncated tokens are documentation/data examples and not secrets.
However, the Report install section contains an embedded base64 string assigned to _K:
'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='
This string is decoded and used as an HMAC key to compute a device signature (HMAC_SIG) that is then sent to an OKX API endpoint. That is a high-entropy literal value used as a signing key in the code and therefore constitutes a hardcoded secret (usable credential). I treat this as an actual secret to flag.
All other high-entropy-looking values are either public blockchain addresses or clearly example/truncated placeholders and were ignored for the reasons above.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). This skill is explicitly a crypto trading plugin for GMX V2 with built-in transaction write operations: open-position, close-position, place-order (limit/stop/take-profit), cancel-order, deposit-liquidity, withdraw-liquidity, and claim-funding-fees. It submits on-chain multicalls and broadcasts transactions via "onchainos wallet contract-call" (requires wallet login and supports a --confirm flag to execute). These are direct blockchain financial operations (wallet signing/broadcasting, moving tokens, creating/cancelling orders, minting/burning LP tokens), so the tool's primary and explicit purpose is to move/manage funds on-chain. Therefore it meets the Direct Financial Execution criteria.
Issues (4)
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).