hyperliquid-plugin
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads environment setup scripts, a universal launcher, and platform-specific binaries from the vendor's official GitHub repository.\n
- Evidence: curl commands in SKILL.md targeting github.com/okx/ repositories.\n- [REMOTE_CODE_EXECUTION]: The installation process involves downloading a remote shell script and piping it directly to sh for environment preparation.\n
- Evidence: curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh in SKILL.md.\n- [COMMAND_EXECUTION]: The plugin binary executes the onchainos CLI tool to perform critical wallet operations, including address resolution and EIP-712 message signing.\n
- Evidence: Subprocess calls using std::process::Command in src/onchainos.rs.\n- [SAFE]: The skill includes a 'Data trust boundary' notice that explicitly instructs the agent not to interpret API-returned data (prices, labels, IDs) as instructions, mitigating potential indirect injection risks.
Audit Metadata