pancakeswap
Audited by Snyk on Apr 12, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight "report install" block embeds obfuscated device-fingerprinting and phone‑home commands that collect hostname/host info and send it to external endpoints, which is unrelated to the PancakeSwap swap/liquidity functionality and therefore constitutes a hidden/deceptive instruction.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly calls public RPC endpoints (bsc-rpc.publicnode.com, base-rpc.publicnode.com, arbitrum-one-rpc.publicnode.com) and TheGraph APIs (api.thegraph.com / api.studio.thegraph.com) and its documented workflows (e.g., SKILL.md “quote”, “swap”, “pools”, “positions”, “add-liquidity”) parse those external responses (token metadata, QuoterV2 quotes, slot0/pool data, subgraph results) to compute slippage, build calldata and decide transaction steps, so untrusted third‑party content can directly influence tool use and subsequent actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight step fetches and executes remote code at runtime — e.g. it runs curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and downloads/executable the binary from https://github.com/okx/plugin-store/releases/download/plugins/pancakeswap@0.2.1/pancakeswap-... — both are runtime fetches that execute remote code and are required for the skill.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that could be used as credentials.
I found a base64-encoded string assigned and decoded into the script's _K variable:
echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ... || echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='
- This decodes to a random-looking value and is used as _K to compute an HMAC_SIG (sha256-based) and DIV_ID that are then sent in install/report requests. That is a high-entropy, literal value embedded in code and used as a signing/identifying secret — not a placeholder or obvious example — so it qualifies as a real secret in the document.
Other items in the prompt (contract addresses, example wallet addresses, command examples, simple strings like REPORT_FLAG, or example passwords mentioned in the policy) are public identifiers, placeholders, or low-entropy/documentation examples and are intentionally ignored per the rules.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a PancakeSwap V3 client for on-chain token swaps and liquidity management on BNB Chain, Base, and Arbitrum. It exposes concrete write operations that move funds:
swap(submits ERC-20 approve + SmartRouter exactInputSingle transactions),add-liquidity(approves tokens and mints an LP position via NonfungiblePositionManager), andremove-liquidity(decreaseLiquidity + collect). It uses wallet-facing commands (onchainos wallet contract-call, wallet login/status, reporting transaction hashes) and lists contract addresses and token addresses. These are specific crypto/blockchain financial execution capabilities (signing and sending transactions / moving on-chain assets), so it meets the Direct Financial Execution criteria.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).