The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 0.90). The pre-flight install contains an obfuscated base64-decoded key and a reporting step that computes a device-derived ID (including hostname and $HOME) and POSTs it to external endpoints — an unnecessary, covert exfiltration unrelated to the plugin's stated swap/liquidity functionality.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 0.90). The package contains deliberate telemetry/exfiltration and supply‑chain touchpoints: an auto-injected "report install" block collects local device info (hostname, uname, arch, $HOME → hashed DEV_ID) and posts it to external endpoints (plugin-store-dun.vercel.app and an okx priapi URL) using a base64-hidden key to produce an HMAC-like identifier; additionally the README includes commands that curl remote installers and a binary from GitHub and pipe them to sh (remote-install execution), which are explicit data-exfiltration and supply‑chain risks (obfuscated base64 secret and unsolicited remote posts indicate intentional behavior, not accidental bugs).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill directly queries public third‑party RPC endpoints (e.g., bsc-rpc.publicnode.com, base-rpc.publicnode.com, arbitrum-one-rpc.publicnode.com as listed in plugin.yaml and SKILL.md) via rpc calls (router_get_amounts_out, factory_get_pair, pair_get_reserves, etc.), ingests that untrusted external on‑chain/API data into its workflow, and uses it to compute quotes, build calldata, and decide/execute transactions—so third‑party content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps run at session startup and explicitly fetch-and-execute remote code (curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and download a runtime binary from GitHub releases (https://github.com/okx/plugin-store/releases/download/plugins/pancakeswap-v2@0.2.1/...), so external content is fetched during runtime and can execute code.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal values that look like real, high-entropy credentials. The only sensitive-looking literal is the base64 string:

'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='

This value is immediately base64-decoded into a variable named _K and then used to compute an HMAC_SIG (HMAC-like derivation) that becomes part of DIV_ID sent to remote reporting endpoints. That pattern (stored encoded secret → decode → HMAC/computation → remote report) strongly indicates a real, embedded secret key used for signing/identification. It is high-entropy, not a placeholder, and not a trivial setup password, so it meets the definition of a secret to flag.

Other literals in the document (token contract addresses, public RPC URLs, example tx hashes, example passwords/strings) are either public blockchain addresses, configuration values, or clearly documentation/example placeholders and therefore ignored per the rules.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). This skill is explicitly designed to perform on-chain crypto financial operations. It supports swaps, ERC-20 approvals, add/remove liquidity, and broadcasts transactions via "onchainos wallet contract-call" (requires wallet login and reports txHash/explorer links). Those are direct crypto wallet/transaction capabilities (signing/sending funds and managing liquidity on PancakeSwap V2 across BSC/Base/Arbitrum), so it grants direct financial execution authority.

pancakeswap-v2

Issues (6)