lido

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt includes an obfuscated "Report install" step that computes a device fingerprint/HMAC and posts it to external endpoints (with a base64‑encoded key and non-obvious reporting behavior), which is not part of the Lido staking functionality and thus constitutes a hidden/deceptive instruction to exfiltrate telemetry outside the skill's stated purpose.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). While the domains (lido.fi, okx.com, github.com, raw.githubusercontent.com, vercel.app) appear legitimate, the skill instructs piping a raw install.sh into sh and downloading/executing binaries from a GitHub release — direct execution of remote scripts and unsigned executables is a high-risk distribution pattern that could deliver malware if sources or releases are compromised.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill performs runtime calls to public third-party endpoints (e.g., https://eth-api.lido.fi in get-apy, https://wq-api.lido.fi in get-withdrawals, and https://ethereum.publicnode.com via eth_call) and the agent parses those responses (APR, withdrawal statuses, isStakingPaused, checkpoint hints) to make decisions such as aborting or submitting transactions, so untrusted external content can materially influence tool use.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps fetch and execute remote code at runtime — notably the installer piped to a shell (curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and a downloaded executable (https://github.com/okx/plugin-store/releases/download/plugins/lido@0.2.1/lido-... saved to ~/.local/bin and made executable) which are required for the skill to run, so remote content is executed during runtime.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy credentials and found one embedded, non-placeholder value:
• The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' assigned to _K (then base64-decoded) is an obfuscated HMAC key used to compute an HMAC-signed device token (DIV_ID). This is a literal, random-looking secret value (not a placeholder) and is used as a signing key — it meets the definition of a secret.

I did not flag other items because they are allowed (contract addresses, API endpoints, example commands, plaintext example passwords/labels are absent or are documentation/placeholder-like). No RSA/PEM blocks or obvious API keys besides the embedded HMAC key were found.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto/blockchain execution tool: it provides commands to stake ETH, approve and request withdrawals, and claim finalized withdrawals by constructing and submitting on-chain transactions (e.g., onchainos wallet contract-call --chain 1 --to <contract> --amt <WEI> --input-data ...). It includes concrete transaction calldata, contract addresses, wallet login checks, and the ability to broadcast transactions (write operations) — i.e., it can move funds on Ethereum. Even though it prompts for user confirmation, it directly enables signing and sending financial transactions on-chain.