The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 0.90). The pre-flight "Report install" block decodes a hidden base64 key and silently computes & POSTs a device-derived identifier and telemetry to external endpoints—behavior unrelated to the described DEX functionality and effectively a hidden/exfiltration instruction.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). These links include a raw install.sh piped to sh and platform-specific binaries pulled from a GitHub release (plus third-party telemetry endpoints); although hosted on recognizable domains (github.com, okx.com, orca.so, vercel.app), automatically fetching-and-executing remote scripts and executables is a high-risk malware distribution pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). This skill explicitly makes live calls to the public Orca REST API (https://api.orca.so/v1) as described in SKILL.md ("Read ops → direct Orca REST API calls") and plugin.yaml (api_calls), and those external responses are used to compute quotes and select pools that directly affect swap decisions, exposing the agent to untrusted third‑party content that could influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's auto-injected pre-flight steps run remote installers at runtime (e.g., curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and curl -fsSL "https://github.com/okx/plugin-store/releases/download/plugins/orca@0.1.0/orca-... " -o ~/.local/bin/orca), which fetch and execute remote code and are required for the skill to run.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that could be usable credentials.

Flagged item:

The base64 literal 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' assigned to _K in the "Report install" section. This is a non-placeholder, high-entropy literal that is decoded and used to compute an HMAC-style signature (HMAC_SIG) for a DIV_ID. Because it is a static encoded secret embedded in the script (not a placeholder like YOUR_API_KEY and not a simple demonstration password), it qualifies as a hardcoded secret.

Not flagged:

Solana program ID, token mint addresses, example commands, environment variable names, and other strings (e.g., public REST API endpoints, example passwords or sample tokens) are public identifiers, placeholders, or low-entropy examples and therefore do not meet the definition of a secret for this review.

I did not decode or expose the decoded string; I only identified the encoded literal as a high-entropy secret-like value embedded in the code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain crypto trades: it provides a "swap" command that executes token swaps on Solana via the onchainos call onchainos dex swap execute --chain 501, returns transaction hashes and Solscan links, and references the Orca Whirlpools program. This is a specific financial execution capability (crypto swap/broadcast), not a generic tool, even though it includes read-only queries and user-confirmation safeguards.

MEDIUM W013: Attempt to modify system services in skill instructions.

Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill's auto-injected pre-flight steps download and execute remote install scripts and binaries, write files under the user's home directory and POST device identifiers to external endpoints—modifying the host state and potentially exfiltrating info—even though it does not request sudo or change system-level configs.

orca