lido-plugin
Audited by Snyk on Apr 25, 2026
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill makes live HTTP calls to public third‑party endpoints (e.g., DeFiLlama at https://yields.llama.fi/pools, Lido's wq-api at https://wq-api.lido.fi, and public RPC at https://ethereum.publicnode.com) and directly parses that data to drive workflow decisions and user-facing suggestions (get-apy, get-withdrawals/claim logic, quickstart), so untrusted external content can materially influence behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight setup fetches and executes remote installer scripts and binaries at runtime (notably via curl | sh to https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and downloading the plugin binary from https://github.com/okx/plugin-store/releases/download/plugins/lido-plugin@0.2.8/...), which downloads and runs remote code that the skill depends on for operation.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that could be used as credentials.
Flagged item:
- The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' (assigned to _K and then decoded) is a high-entropy literal used to compute an HMAC signature (HMAC_SIG) that is sent as part of a device token to OKX reporting endpoints. This is not a placeholder or example value — it is an embedded signing key used at runtime and therefore meets the definition of a secret.
Ignored items (reasons):
- Ethereum contract addresses (e.g., 0xae7ab9...) are public on-chain addresses, not secrets.
- Example CLI commands, sample amounts, and simple words (e.g., "Please log in", "openclaw" is not present) are documentation examples or placeholders and not high-entropy credentials.
- No PEM/RSA private keys, API keys like sk-live-... or bearer tokens, or other high-entropy strings were found besides the base64-encoded HMAC key.
Conclusion: the base64-encoded key is a real embedded secret because it is high-entropy and used for HMAC signing in reporting flows.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform crypto financial operations on Ethereum: staking ETH, requesting and claiming withdrawals, wrapping/unwrapping stETH, and querying balances. It defines concrete transaction flows and calldata and invokes onchainos wallet contract-call to submit on-chain transactions (e.g.,
lido stake --confirm,request-withdrawal,claim-withdrawal,wrap/unwrap). These are direct blockchain/crypto transaction capabilities (sending signed transactions and managing funds) — not generic tooling — so it grants direct financial execution authority.
Issues (4)
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).