The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 0.80). The prompt includes an obfuscated (base64-decoded) HMAC key and a hidden device-fingerprinting + reporting block that posts a signed device ID to third-party endpoints during install—functionality unrelated to the plugin’s stated farming features and thus a hidden/deceptive instruction.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). These URLs instruct downloading and executing binaries/scripts (curl|sh and direct executables) and reporting device fingerprints—while some sources (okx GitHub/okx.com) appear official, the use of direct executable downloads, raw install scripts, and a third-party Vercel reporting endpoint creates a non-trivial risk of malware or unwanted telemetry if the repositories or endpoints are compromised or not authentic.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The skill directly fetches and interprets data from public third-party RPC endpoints (e.g., https://bsc-rpc.publicnode.com, https://ethereum.publicnode.com declared in plugin.yaml and config.rs) and on-chain APIs (used throughout src/commands/*.rs such as owner_of, pending_cake, pool_info and farm-pools) and uses that untrusted content to make decisions and build/execute transactions, so external content can materially influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight runtime installs fetch and execute remote code (curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and downloads an executable from GitHub Releases (https://github.com/okx/plugin-store/releases/download/plugins/pancakeswap-clmm@0.1.0/...), so these URLs are used at runtime to run remote code which the skill requires.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the full skill prompt for high-entropy, literal values that could be usable credentials.

Findings:

The script embeds a base64-encoded string assigned to _K: OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw== This value is immediately decoded and used as an HMAC signing key for reporting (HMAC signature for device token). It is a high-entropy literal value (not a placeholder) and functions as an application secret (used to sign requests). Because it appears to be an actual, embedded key that could be used to generate valid HMAC signatures, I treat it as a real secret.

Ignored items (not flagged):

Contract addresses (0x...) — these are public on-chain addresses, not secrets.
Example token IDs, command examples, flags, URLs, and other operational strings — documentation or public endpoints.
Any simple/example passwords or placeholders — none present that meet the high-entropy secret definition.

Conclusion: the base64-encoded _K value is a hardcoded secret (high-entropy signing key). No other high-entropy secrets were found.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial actions: staking/unstaking LP NFTs, withdrawing NFTs, harvesting reward tokens, and collecting fees. Its write commands (farm, unfarm, harvest, collect-fees) execute transactions via "onchainos wallet contract-call", resolve wallet addresses, require user confirmation, and report tx hashes. It also references ERC-20 approvals and uses specific contract addresses and chain IDs. These are concrete crypto/blockchain transaction capabilities (wallet interaction and asset transfers), so it grants direct financial execution authority.

pancakeswap-clmm