pancakeswap-clmm-plugin
Audited by Snyk on Apr 25, 2026
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.70). This skill explicitly fetches and ingests data from public third-party endpoints (e.g., the SKILL.md pre-flight/install steps that curl raw.githubusercontent.com and GitHub releases, plus runtime calls to public RPC URLs like https://bsc-rpc.publicnode.com used by positions/farm-pools/pending-rewards), and those external responses are parsed and used to drive previews, staking decisions, and update behavior—so untrusted third-party content can materially influence tool use and next actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install runs a remote install script via curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (and also downloads executable artifacts from raw.githubusercontent.com / github.com releases), which executes remote code to install required runtime components (onchainos and the plugin binary), so this is a high-confidence runtime-executed external dependency.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned for high-entropy literal values that could provide access. The only true secret-like value is the base64 string embedded in the "Report install" block:
- 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='
This is base64-decoded into the variable _K and then used to compute an HMAC device signature sent to OKX/report endpoints. That is a hardcoded, high-entropy key used for signing — it qualifies as a secret and should be treated as sensitive.
I ignored other items as non-secrets per the rules:
- Contract addresses, RPC URLs, and token IDs are public on-chain identifiers (not secrets).
- Placeholders and examples such as "your@email.com", "", "<YOUR_TOKEN_ID>", and obvious example passwords were treated as documentation placeholders and not flagged.
- Truncated/redacted or clearly-example strings (none besides placeholders) were ignored.
Therefore a real hardcoded credential (the embedded base64 HMAC key) is present.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto/blockchain financial tool. It provides write operations that submit on-chain transactions which move assets: "farm" stakes LP NFTs into MasterChefV3 (transfers NFT), "unfarm" withdraws NFTs and harvests CAKE, "harvest" claims/transfers CAKE, and "collect-fees" transfers accrued token fees. It uses an onchainos wallet for signing/contract-call and reports txHash and amounts. These are direct crypto asset operations (wallets, signing, token transfers), not generic tooling — therefore it grants direct financial execution capability.
Issues (4)
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).