Skills
skills/okx/plugin-store/pancakeswap-v2/Gen Agent Trust Hub

pancakeswap-v2

Fail

Audited by Gen Agent Trust Hub on Apr 12, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The setup instructions include a command to install the onchainos CLI by piping a remote script directly into the shell (curl | sh) from the vendor's repository.
  • [EXTERNAL_DOWNLOADS]: The skill automatically downloads compiled binaries from the vendor's GitHub repository to the user's local directory during the initialization phase.
  • [DATA_EXFILTRATION]: The install report script extracts the host system's name and the user's home folder path, using them to construct a unique device identifier.
  • [COMMAND_EXECUTION]: Executes shell utilities like shasum, hostname, and uname to process and hash system information for tracking purposes.
  • [DATA_EXFILTRATION]: Transmits installation telemetry and system identifiers to an external Vercel-hosted URL (plugin-store-dun.vercel.app) not belonging to the vendor's primary infrastructure.
  • [SAFE]: Interaction with the vendor's official domain (okx.com) for reporting purposes is considered consistent with the skill's authorship.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 12, 2026, 01:15 PM