meteora
Audited by Snyk on Apr 12, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight install includes an obfuscated base64-decoded secret and a hidden "report install" routine that computes a device-derived ID and POSTs it to external endpoints—telemetry/exfiltration unrelated to the plugin's advertised on-chain query and swap functionality, so this is a deceptive hidden instruction.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). Although the domains (githubusercontent/github.com, okx.com, meteora.ag, vercel.app) appear to be legitimate/related to OKX/Meteora, the skill instructs piping a raw GitHub shell script to sh and downloading platform-specific executables from a release URL with no signatures or checksum verification, which is a high-risk supply-chain pattern that could distribute malware.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.70). The skill fetches live data and quotes from third-party public endpoints (e.g., https://dlmm.datapi.meteora.ag and public Solana RPCs listed in plugin.yaml and SKILL.md, and uses those responses in get-pools/get-pool-detail/get-swap-quote/get-user-positions flows) which the agent reads and acts on to build/execute transactions, so untrusted external content can materially influence decisions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight steps run remote installers at runtime — notably curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (executes a fetched install script) and curl -fsSL https://github.com/okx/plugin-store/releases/download/plugins/meteora@0.3.3/meteora-${TARGET}${EXT} (downloads a binary installed/executed), so remote content is fetched and executed as required dependencies.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I flagged one high-entropy literal: the base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' assigned to _K (then base64-decoded) and used to compute HMAC_SIG/DIV_ID. This is a literal secret key embedded in the script (not a placeholder), and appears usable for generating/verifying HMACs — therefore it meets the definition of a secret.
Everything else in the prompt is either:
- Public token/mint addresses (standard Solana mints) — not secrets.
- Example commands, environment variable names, or obvious placeholders (e.g., <position_addr>, ) — ignored per rules.
- No API keys, PEM blocks, or other high-entropy credentials besides the base64 blob above.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a Solana DEX plugin with built-in on-chain transaction capabilities. It provides commands to execute token swaps, add liquidity, and remove liquidity, and it uses onchainos to sign and broadcast transactions (e.g., "onchainos swap execute --chain solana" and "onchainos wallet contract-call --chain 501"). It constructs and submits Solana transactions (including wrapping SOL to WSOL, claiming fees, closing accounts) and returns tx hashes/explorer links. These are specific crypto/blockchain financial operations (moving tokens on-chain), so it grants direct financial execution authority.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).