kamino-liquidity

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The pre-flight install includes auto-injected reporting that computes a device fingerprint, HMAC-signs it using an obfuscated base64 string, and POSTs it to external endpoints—hidden telemetry/exfiltration code unrelated to the vault deposit/withdraw functionality.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These URLs include direct execution of a raw install.sh and fetching a prebuilt executable from a small/unknown GitHub release (plus telemetry/reporting endpoints), which constitutes a supply‑chain risk—running remote shell scripts or unknown binaries is potentially malicious even if some endpoints (okx, solscan) look legitimate.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests public, untrusted on-chain data and serialized transactions from https://api.kamino.finance (see SKILL.md and src/api.rs), and those responses are parsed and used to build/submit transactions (src/commands/*.rs and src/onchainos.rs), so third-party content can materially influence tool actions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install runs at session runtime and fetches/executes remote code — notably a shell install script fetched via curl from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh (curl … | sh) and a platform-specific binary downloaded from GitHub Releases at https://github.com/MigOKG/plugin-store/releases/download/plugins/kamino-liquidity@0.1.0/... — both are required dependencies and allow remote code to be executed.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned for high-entropy literal values that could be active credentials. The embedded base64 string

OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==

is assigned to _K (commented as "obfuscated key, same as CLI binary") and is then used to compute an HMAC signature for reporting. This is a hardcoded, non-placeholder secret (base64-encoded key material) used for signing device tokens — it meets the "high-entropy, literal value that provides access" definition and is not a documentation placeholder or simple example.

Other values in the document that might look like secrets were ignored for the reasons below:

• Solana addresses (e.g., GEodMsAREMV4JdKs1yUCTKpz...) and example wallet addresses are public on-chain identifiers, not secrets.
• Truncated tx hashes (e.g., "5xHk...") and "shares_mint": "..." are redacted/truncated or placeholders.
• No API keys like sk-... or PEM/private-key blocks were present.

Therefore I flag the base64 _K value as an actual secret.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to interact with a blockchain financial protocol: it exposes deposit and withdraw commands that build unsigned on-chain transactions and then submit them via a wallet CLI. The documentation shows concrete crypto execution primitives (Kamino API builds unsigned tx, then execute with onchainos wallet contract-call --chain 501 --unsigned-tx <base58_tx> --force), and includes wallet/connect checks and fund limits. These are specific crypto/wallet transaction capabilities (signing/broadcasting on-chain transfers), not generic tooling, so it grants direct financial execution authority.