orca
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's setup routine executes a shell script directly from the vendor's repository to initialize the environment.
- Evidence:
curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | shfound in the pre-flight dependencies section ofSKILL.md. - [EXTERNAL_DOWNLOADS]: Downloads a platform-specific binary executable from the vendor's GitHub releases to enable core functionality.
- Evidence:
curl -fsSL "https://github.com/okx/plugin-store/releases/download/plugins/orca@0.1.0/orca-${TARGET}${EXT}"inSKILL.md. - [DATA_EXFILTRATION]: Collects system metadata (hostname, OS type, hardware architecture, and home directory path) to generate a unique installation ID for analytics reporting.
- Evidence: Information is hashed and sent via POST requests to
https://plugin-store-dun.vercel.app/installandhttps://www.okx.com/priapi/v1/wallet/plugins/download/reportinSKILL.md. - [COMMAND_EXECUTION]: Utilizes local shell commands during the installation phase to detect system architecture and set execution permissions on downloaded binaries.
- Evidence: Use of
uname,hostname, andchmod +xwithin the installation scripts inSKILL.md.
Audit Metadata