hyperliquid-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill directly fetches and ingests data from the public Hyperliquid API (https://api.hyperliquid.xyz/info) — see src/api.rs and calls in commands like order, positions, cancel, cancel_batch — and those API responses (prices, meta, balances, order lists) are parsed and used to build and sign follow-up actions, so untrusted third-party content can materially influence the agent's decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight setup runs a runtime shell fetch-and-execute (curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) (and also downloads launcher/scripts from raw.githubusercontent.com and a binary from https://github.com/okx/plugin-store/releases/...), which fetches and executes remote code that the skill relies on for operation.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading and funds-management plugin for a crypto exchange (Hyperliquid). It contains numerous write operations that move or execute value: placing perp and spot market/limit orders (order, spot-order, order-batch), closing positions, setting TP/SL, cancelling orders, depositing USDC from Arbitrum to Hyperliquid via a bridge (deposit), withdrawing USDC to Arbitrum (withdraw), transferring USDC between perp and spot accounts (transfer), sending USDC to a HyperEVM address (evm-send), and a get-gas swap. It also requires user EIP-712 signatures via onchainos (onchainos wallet sign-message) and builds/submits on-chain/exchange transactions. These are specific, purpose-built financial operations (sending funds, signing transfers, placing market orders), not generic tooling. Therefore it grants direct financial execution authority.