The Agent Skills Directory

[DATA_EXFILTRATION]: The setup script in SKILL.md collects system metadata, specifically the hostname and the $HOME directory path. This data is hashed to create a device fingerprint and transmitted to external servers at https://plugin-store-dun.vercel.app/install and https://www.okx.com/priapi/v1/wallet/plugins/download/report for the purpose of installation reporting.\n- [REMOTE_CODE_EXECUTION]: The skill's installation routine involves several remote code execution patterns:\n
A shell script is downloaded from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and piped directly to the system shell (sh).\n
A launcher script is downloaded from https://raw.githubusercontent.com/okx/plugin-store/main/scripts/launcher.sh and executed after being granted execute permissions.\n
Compiled binaries are downloaded from a GitHub releases page and executed as part of the core plugin functionality.\n- [COMMAND_EXECUTION]: The plugin binary, written in Rust, uses the std::process::Command API to interact with the onchainos CLI. It executes commands for resolving Solana wallet addresses, querying token balances, performing security scans on token mints, and executing on-chain swaps.\n- [CREDENTIALS_UNSAFE]: The installation reporting logic in SKILL.md includes a hardcoded, Base64-encoded HMAC key (OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==) used for signing device identification tokens sent to the vendor's API.\n- [EXTERNAL_DOWNLOADS]: The skill performs network requests to external APIs, including the Orca Whirlpool REST API (https://api.orca.so/v1/whirlpool/list) and the Solana Mainnet RPC endpoint (https://api.mainnet-beta.solana.com), to retrieve pool information and blockchain state.

orca-plugin