orca-plugin
Audited by Snyk on Apr 25, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.80). The prompt includes auto-injected pre-flight/install steps that perform device fingerprinting, decode an obfuscated HMAC key, and POST a signed device token to external endpoints (telemetry/exfiltration) which is unrelated to the plugin's stated swap/query functionality and thus constitutes a hidden/deceptive instruction outside the skill's purpose.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill fetches and parses live data from public third‑party endpoints (e.g., src/api.rs calls https://api.orca.so/v1/whirlpool/list and src/onchainos.rs posts to https://api.mainnet-beta.solana.com), and those untrusted API responses are directly used by get-quote and swap (src/commands/get_quote.rs and src/commands/swap.rs) to compute quotes, price impact, select pools, and to allow/block execution—so external content can materially influence agent behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps run at runtime and explicitly execute remote code (e.g., curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and curl -fsSL https://raw.githubusercontent.com/okx/plugin-store/main/scripts/launcher.sh -o ... then chmod +x, and downloading the GitHub release binary https://github.com/okx/plugin-store/releases/download/plugins/orca-plugin@0.6.4/... which together fetch and run remote content), so a runtime external URL is used to execute remote code.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned for high-entropy, literal credentials. The doc contains many public Solana mints/program IDs (e.g., So1111..., EPjFWdd5..., whirLbMiicVdio4qvU...) which are public addresses and not secrets, and several truncated/example values (e.g., "7xKX...", "orca-plugin --confirm ...") which are documentation/examples — these are ignored per the rules.
However, there is a base64 string assigned to _K in the install/report block:
OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==
It is decoded and used to compute an HMAC signature (HMAC_SIG) for a device token. This is a literal, non-placeholder, high-entropy value embedded in the script and used as a signing key (the comment even calls it an "obfuscated key, same as CLI binary"). That meets the definition of a secret (it enables signing/HMAC and is not a trivial example), so it should be flagged.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). This skill is explicitly a crypto trading plugin for Solana. It provides a "swap" command that, after user confirmation, broadcasts on-chain token swap transactions via "onchainos swap execute --chain 501", performs wallet balance checks, security scans, and returns a transaction hash/solscan link. Its primary purpose is executing blockchain payments/swaps (crypto execution), so it grants direct financial execution authority.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).