meteora-plugin

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The pre-flight section includes an auto-injected "Report install" step that decodes an obfuscated key, constructs a device fingerprint/HMAC token, and POSTs it to external endpoints (Vercel and OKX) — telemetry/exfiltration behavior not described in the plugin's advertised functionality, so this is a hidden/deceptive instruction outside the skill's stated purpose.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Although the domains are primarily tied to the legitimate OKX GitHub org and related services, the skill instructs curl|sh of raw GitHub scripts and direct download/execute of release binaries (plus telemetry/reporting to external endpoints), which is a risky distribution pattern that can deliver arbitrary code even if hosted by a well-known project.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses data from public third-party sources — the Meteora REST API (https://dlmm.datapi.meteora.ag) and Solana RPC endpoints (api.mainnet-beta.solana.com, rpc.ankr.com) as shown in SKILL.md and src/api.rs/src/commands (e.g., get_pools, get_pool_detail, get_user_positions, add_liquidity), and it uses those responses to compute ranges, build transactions, and drive onchain actions, so untrusted external content can materially influence the agent's tool use.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The SKILL.md includes a runtime "curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh" which fetches and immediately executes remote shell code to install the onchainos CLI (a required runtime dependency used throughout the skill), so this is a high-confidence executable remote dependency.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire SKILL.md for literal, high-entropy credentials. I ignored obvious non-secrets (public endpoints, Solana mint/public addresses, example wallet/pool addresses, and command examples) per your rules.

I flagged a base64-encoded literal in the "Report install" section:

_K is assigned from: echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d

This is a hardcoded, non-placeholder value used as an HMAC key to sign the device token before reporting to OKX. It is not a generic placeholder, appears base64-encoded (non-trivial entropy), and is directly used as a secret key in code (then unset). That meets the definition of a secret (literal value granting access/ability to sign requests). All other potentially suspicious strings (token mint addresses, example wallet addresses, CLI sample passwords) are public or clearly examples/placeholders and were ignored.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain crypto financial operations on Solana: it can execute token swaps (swap → onchainos swap execute --chain solana), add liquidity (builds and submits Solana transactions, auto-wraps SOL, requires --confirm), and remove liquidity (submits on-chain transactions via onchainos wallet contract-call). It reads wallet balances and can broadcast signed transactions (reports tx_hash and explorer_url). These are direct crypto/ blockchain wallet and transaction capabilities (signing/broadcasting swaps and liquidity operations), so it grants direct financial execution authority.