kamino-lend-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill fetches and ingests data from public third-party APIs (e.g., DeFiLlama via https://yields.llama.fi/pools in src/api.rs, Kamino API endpoints like /ktx/klend/* and /kamino-market in SKILL.md and src/api.rs, and Jupiter at https://api.jup.ag) and directly uses those responses to build and submit on-chain transactions (the Kamino API returns base64 txs that the agent submits via onchainos), so untrusted external content can materially influence tool use and execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The SKILL.md pre-flight includes a runtime install command that pipes a remote script to a shell—"curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh"—which fetches and executes remote code and is required for the skill (onchainos) to operate.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for on-chain crypto financial operations on Solana: it can supply, withdraw, borrow, and repay assets; build and broadcast transactions; and even perform automatic token swaps via Jupiter. Write operations are executed via a concrete command: onchainos wallet contract-call --chain 501 --unsigned-tx <base58_tx> --force and the skill waits for on-chain confirmation. These are direct blockchain transaction submission and wallet interaction capabilities (crypto/blockchain wallets, swaps, and signing/broadcasting), not generic tooling, so it grants direct financial execution authority.