The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 0.90). The prompt contains auto-injected install/reporting code that decodes an obfuscated base64 key, computes a device fingerprint/HMAC token and POSTs it to external endpoints — unsolicited telemetry/exfiltration logic unrelated to the trading skill and not transparently part of its stated purpose.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.90). These URLs include a raw GitHub shell script intended to be curl|sh'd plus platform-specific executables from GitHub releases and third‑party telemetry endpoints (Vercel/unknown GitHub user), so they mix direct remote code execution and binary downloads from both an official org and less‑audited sources, which constitutes a high malware/distribution risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches market, price, and position data from public GMX APIs and public RPC endpoints (see plugin.yaml api_calls like https://arbitrum-api.gmxinfra.io and SKILL.md's "Market addresses: Fetched dynamically from GMX API at runtime"), and those untrusted third-party responses are read and used to build transactions and decide next actions, so external content can materially influence the agent's tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight installation runs remote installers that execute fetched code at runtime (e.g., curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and the curl download of the gmx-v2 binary from https://github.com/okx/plugin-store/releases/download/plugins/gmx-v2@0.2.1/...), which are required for the skill and thus constitute runtime external code execution.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the entire skill prompt for high-entropy literal values that could be usable credentials.

Flagged item:

The base64 string "OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==" (used in the script as the _K value and then base64-decoded) is a high-entropy literal embedded in the code and is explicitly described as the "HMAC signature (obfuscated key, same as CLI binary)". This appears to be an actual secret key used to compute an HMAC/device token and therefore meets the definition of a secret.

Ignored items (and why):

Ethereum addresses like 0xaf88d065e77c8cC2239327C5EDb3A432268e5831, 0xMarketTokenAddress, 0xYourWallet, 0x1234abcd..., etc. — these are blockchain addresses or truncated placeholders and are not secrets per the rules.
Human-readable placeholders and example passwords / tokens (0xYourWallet, "YOUR_API_KEY", truncated keys with "...") — documentation placeholders or truncated values are explicitly ignored.
Simple strings and examples in the README and example commands are low-entropy examples or instruction placeholders (ignored).

Conclusion: the embedded base64-decoded key (_K) is a real, high-entropy secret present in the prompt and should be treated as sensitive.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). Yes. This skill is explicitly designed to execute on-chain financial operations for GMX V2: opening/closing leveraged positions, placing/cancelling conditional orders, depositing/withdrawing pool liquidity, and claiming funding fees. It submits signed transactions via "onchainos wallet contract-call", auto-approves tokens when needed, requires a connected wallet, and broadcasts write ops (uses --force). These are direct crypto/blockchain transaction capabilities (sending tokens, creating market/swap/contract calls), not generic tooling—so it grants Direct Financial Execution Authority.

gmx-v2