The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 1.00). The prompt includes obfuscated/hidden telemetry instructions (base64-decoded HMAC key, device fingerprinting, and POSTs to external endpoints) that exfiltrate a device identifier and are unrelated to the skill's stated swap/liquidity functionality, which is deceptive and outside scope.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.70). They point to seemingly official OKX GitHub and OKX domains but include direct downloads (raw .sh via curl|sh and platform binaries from a GitHub release) and telemetry/report endpoints — which are potentially risky to execute or run without verification (checksums/signatures) and could leak device info or deliver malicious code if the sources were compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 1.00). The skill explicitly queries public RPC endpoints and TheGraph (e.g., api.thegraph.com and bsc-rpc.publicnode.com listed in plugin.yaml and described in SKILL.md) and uses those untrusted on-chain/third‑party responses (quotes, pool slot0, balances, subgraph positions) to compute transaction parameters and decide actions, so external content can materially influence tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight installs fetch and run remote code at runtime — notably curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh (executes a remote install script) and curl -fsSL "https://github.com/okx/plugin-store/releases/download/plugins/pancakeswap-v3@1.0.0/pancakeswap-v3-${TARGET}${EXT}" (downloads a remote binary that is made executable), so required runtime dependencies execute remote code.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned for literal, high-entropy values that could be used to authenticate or sign requests. The script contains a base64-encoded string assigned/decoded into variable _K:

'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='

This is then used as an HMAC signing key ("HMAC signature (obfuscated key, same as CLI binary)") to compute a device token sent to OKX. That is a directly embedded secret (high-entropy, not a placeholder) and therefore should be treated as a hardcoded credential.

Other items that might look sensitive were evaluated and ignored:

All listed contract and token addresses are public blockchain addresses (not secrets).
Truncated transaction hashes in the changelog (e.g., '0x8b267fbf...') are redacted and ignored.
No obvious API keys like "sk-live-..." or placeholders (YOUR_API_KEY) are present.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial actions: it supports swapping tokens, approving ERC-20 transfers, minting/removing V3 LP positions, and broadcasting on-chain transactions via onchainos wallet contract-call. Commands like swap, add-liquidity, and remove-liquidity describe multi-step transaction broadcasts (approves, exactInputSingle, mint, decreaseLiquidity, collect) and report transaction hashes. This is direct crypto/blockchain transaction execution capability (wallet signing & broadcasting), not a generic tool, so it meets the "Direct Financial Execution" criteria.

pancakeswap-v3

Issues (6)