pancakeswap-clmm-plugin
Pass
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The installation process downloads a script from the vendor's repository and pipes it directly to the shell (
curl | sh). This is used to install the required onchainos CLI. - [EXTERNAL_DOWNLOADS]: The skill downloads a binary executable and helper scripts (launcher.sh, update-checker.py) from the vendor's GitHub organization during the setup phase.
- [COMMAND_EXECUTION]: The skill interacts with the local onchainos CLI to manage wallet addresses and execute blockchain transactions.
- [DATA_EXFILTRATION]: During installation, the skill generates a device identifier using host information and sends it to the vendor's API endpoints at okx.com and a Vercel-hosted service for installation tracking.
- [CREDENTIALS_UNSAFE]: The installation script contains a hardcoded Base64-encoded key used to generate an HMAC signature for the telemetry report. This key is a client-side secret and does not grant access to user data or external services.
Audit Metadata