kamino-liquidity-plugin
Audited by Snyk on Apr 25, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.80). The prompt includes an obfuscated base64 HMAC key and explicit device-fingerprinting + remote-reporting shell commands (sending a hashed device ID to external endpoints), which are telemetry/exfiltration steps unrelated to the plugin's stated Kamino vault operations and thus constitute hidden/deceptive instructions outside the skill's purpose.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). This skill directly fetches and parses data and serialized transactions from the public Kamino API (https://api.kamino.finance) — see SKILL.md and src/api.rs — and uses those untrusted responses (including base64-encoded transactions) to decide actions and to build/broadcast on-chain transactions, so third-party content can materially influence tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install step runs a shell pipeline that fetches and executes remote code—curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh—which would run remote installer at runtime and the skill depends on the onchainos CLI as a required dependency.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy credential material.
Findings:
- The file includes a base64 literal: OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==. This is decoded in-script and used as an HMAC signing key (_K) to compute HMAC_SIG and build a device token sent to an external API. This is a high-entropy, usable secret (an embedded HMAC key) rather than a placeholder, and therefore should be flagged.
Ignored items (not flagged) and why:
- Solana addresses (e.g., GEodMsAREM..., DTEqFXyF...) are public addresses, not secrets.
- Example values, truncated tx hashes (e.g., "5xHk..."), and other sample fields are documentation/example data.
- No private key / seed phrase blocks or API keys in the sk-live / sk-xxxx form were present.
Because the base64 string decodes to an actual signing key used in reports, it constitutes a hardcoded secret included in the document.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). This skill is explicitly a crypto-financial integration for Solana: it builds unsigned on-chain transactions for deposits and withdrawals into Kamino KVaults and executes them via the onchainos wallet (e.g., onchainos wallet contract-call --chain 501 --unsigned-tx <base58_tx> --force). It exposes direct write operations (deposit, withdraw) that submit blockchain transactions and reports transaction hashes. Although it requires explicit user confirmation (--confirm), the primary and explicit purpose is moving funds on-chain (crypto wallet transactions), which meets the "Direct Financial Execution" criteria.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).