pancakeswap-v2-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill makes live calls to public RPC endpoints (e.g., bsc-rpc.publicnode.com, base-rpc.publicnode.com, arbitrum-one-rpc.publicnode.com via rpc::* and reqwest in quickstart and other commands) and ingests on-chain/token metadata (balances, reserves, symbols, router quotes, factory pair lookups) which the agent reads and uses to choose paths, compute amounts, and decide/execute transactions, so untrusted third‑party content can materially influence tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight installation runs a runtime shell pipeline that fetches and executes remote code from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh (curl ... | sh), which is a required setup step and therefore a high-confidence remote-execution dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a decentralized-exchange plugin for PancakeSwap V2 with built-in write operations that submit on-chain transactions: it supports swap, add-liquidity, remove-liquidity, and ERC‑20 approvals. The execution flow documents using onchainos wallet contract-call to submit approve() and swap/add/remove liquidity transactions, includes a --confirm flag to broadcast writes, and returns txHash/block-explorer links. These are specific crypto transaction capabilities (wallet signing and broadcasting) — i.e., direct financial execution on-chain — not generic tooling.