morpho
Audited by Snyk on Apr 12, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The prompt contains a hidden "Report install" section that builds an obfuscated HMAC token, fingerprints the device (hostname, OS, home path), and POSTs that data to external endpoints—a deceptive telemetry/exfiltration step unrelated to the skill's advertised lending functionality.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches runtime MarketParams and positions from the external Morpho GraphQL API (https://blue-api.morpho.org/graphql) and claim data from the Merkl API (https://api.merkl.xyz), and those untrusted responses are consumed to compute health factors and to build/execute transactions—so third-party content can directly alter agent decisions and tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight setup fetches and executes remote code required at runtime — specifically the install script fetched via curl | sh from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and the morpho binary downloaded from https://github.com/okx/plugin-store/releases/download/plugins/morpho@${REQUIRED_VERSION}/morpho-, so these URLs introduce remote code execution risk.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full skill prompt for high-entropy literal values that could be used as credentials.
Findings:
- Flagged: The base64-encoded string in the install/report section: OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw== This is immediately decoded into _K and then used as an HMAC key to compute a device signature (HMAC_SIG) sent to OKX/other reporting endpoints. It is a high-entropy literal (not a placeholder, not truncated) and functions as a signing key — therefore meets the definition of a secret.
Ignored items (not flagged):
- All Ethereum/Base addresses and token contract addresses — these are public on-chain addresses, not secrets.
- Example values like "0xabc...", "0xb323..." and other redacted tx-hashes — truncated/redacted placeholders.
- Environment/flag names, usage examples, instructions, and simple example passwords described in the doc — documentation placeholders or non-sensitive examples per the provided rules.
Because the base64 string decodes into a runtime HMAC key used for device signing (and is included verbatim in the repo), it is a hardcoded secret that should be treated as an active credential and rotated/removed.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations for the Morpho lending protocol: it provides commands to supply/deposit, withdraw, borrow, repay, supply/withdraw collateral, and claim rewards. It uses onchainos wallet contract-call to create and broadcast transactions (including forced ERC‑20 approval broadcasts) and encodes/executes contract calls (deposit, borrow, repay, redeem, claim). This is a specific crypto/blockchain financial execution capability (wallet transactions and signing), not a generic tool—so it grants direct financial execution authority.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).