pendle-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill calls external Pendle APIs and the Pendle Hosted SDK (see api.rs sdk_convert / sdk_convert_v2_get and plugin.yaml api_calls pointing at https://api-v2.pendle.finance/core) and then directly uses SDK responses (calldata, router, requiredApprovals, expected_*_out) to decide approvals and to execute on-chain transactions, so untrusted third-party content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's auto-injected pre-flight steps run at runtime and fetch/execute remote scripts and binaries (notably curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and the GitHub release download https://github.com/okx/plugin-store/releases/download/plugins/pendle-plugin@0.2.8/pendle-plugin-${TARGET}${EXT}, plus launcher/update-checker scripts from https://raw.githubusercontent.com/okx/plugin-store/...), which directly execute remote code and are required to install/run the skill, so they present a clear runtime code-execution risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a DeFi trading plugin for Pendle Finance and includes built-in write operations that create and broadcast on-chain transactions. It supports buy-pt/sell-pt, buy-yt/sell-yt, add-liquidity/remove-liquidity, mint-py/redeem-py and ERC‑20 approvals; previews return calldata and the live mode (via a global --confirm flag) invokes onchainos wallet contract-call (with --force) to submit approvals and router transactions and returns tx_hashes. These are specific crypto/blockchain transaction primitives (wallet integration, calldata generation, approvals, and on-chain contract calls) intended to move funds — therefore it grants direct financial execution capability.