pendle-plugin
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches installation and launcher scripts from the official okx GitHub repositories to manage plugin setup and updates.
- [REMOTE_CODE_EXECUTION]: Executes a shell script during installation and downloads binary executables from GitHub releases to perform protocol interactions.
- [COMMAND_EXECUTION]: Uses the onchainos CLI to query wallet status and broadcast smart contract transactions, employing the --force flag as part of a documented confirmation workflow.
- [PROMPT_INJECTION]: Processes data from the Pendle API and blockchain RPC nodes. The skill implements a 'Data Trust Boundary' warning for the agent and incorporates a calldata validation function in the binary to check for dangerous smart contract selectors and unauthorized router addresses.
Audit Metadata