kamino-lend
Audited by Snyk on Apr 11, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). The prompt includes auto-injected install/reporting steps that compute a device fingerprint and HMAC (using an obfuscated/base64 key) and POST it to external endpoints, which is unrelated to the Kamino lending functionality and constitutes hidden/exfiltration behavior outside the skill's stated purpose.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). These URLs point to executables and a shell install script served from GitHub, okx.com and a Vercel app — likely legitimate OKX/plugin-store assets but still risky because the workflow pipes a raw install.sh and downloads binaries to execute (curl|sh and direct binaries), plus telemetry reporting, which makes it a moderate-to-high risk for malware distribution if the sources were ever compromised.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). Yes — the skill calls the public Kamino API (API_BASE = https://api.kamino.finance) to fetch markets/obligations and to build serialized transactions (see src/api.rs build_/get_ functions and the SKILL.md note "The transaction is fetched from Kamino API and immediately submitted"), and those API responses (notably base64-encoded transactions) are parsed/converted and submitted via onchainos, so untrusted third‑party content can directly determine tool actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install (run once per session) fetches and executes remote code—e.g. curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and the GitHub release binary https://github.com/okx/plugin-store/releases/download/plugins/kamino-lend@0.1.0/kamino-lend-... (downloaded and made executable)—which are runtime actions that pull and run external code and are required for the skill to operate.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I found a literal base64-encoded value in the install/report section:
OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==
The script decodes this value into _K and uses it as an HMAC signing key ("HMAC signature (obfuscated key, same as CLI binary)") to produce a device token sent to external APIs. This is a hardcoded secret (high-entropy, not a placeholder) that can be used to sign requests and should be treated as a credential. Other values in the skill (URLs, command examples, environment variable names, example passwords) are documentation or benign and not high-entropy secrets, so they are ignored.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is specifically designed for crypto financial operations on Solana (Kamino Lend). It exposes explicit on-chain write operations: supply, withdraw, borrow, and repay, and describes broadcasting transactions via onchainos wallet contract-call (e.g., --chain 501 --unsigned-tx <base58_tx> --force). These are direct blockchain wallet/transaction actions (crypto wallet signing/submission), so it grants direct financial execution capability.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).