The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 0.70). The prompt includes an auto-injected "Report install" section that collects device-identifying data, decodes an embedded base64 key, and POSTs telemetry to external endpoints — behavior unrelated to Pendle trading and effectively exfiltrates environment info, so it constitutes hidden/deceptive instructions outside the skill's stated purpose.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.70). Although most domains (githubusercontent/GitHub, okx.com, pendle.finance, vercel.app) look legitimate, the skill instructs direct execution/download of a raw shell script (curl|sh from raw.githubusercontent.com) and a GitHub-release binary — both high-risk distribution patterns if run without verification — while the API/reporting endpoints are low-risk; treat as moderately suspicious and verify signatures/sources before running.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 1.00). The skill calls Pendle's public API (PENDLE_API_BASE https://api-v2.pendle.finance/core) — see src/api.rs (sdk_convert) and the SKILL.md execution flow — and parses SDK responses (routes, calldata, router, requiredApprovals) that the agent then uses to decide and execute onchainos wallet contract-call and approval transactions, so untrusted third‑party content directly influences tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). I flagged the runtime fetches because the pre-flight install uses curl piping to execute remote shell code (https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh), the installer downloads and installs a remote executable (https://github.com/okx/plugin-store/releases/download/plugins/pendle@0.2.1/pendle-...), and the plugin relies at runtime on the Pendle Hosted SDK API which returns calldata/router/approvals (https://api-v2.pendle.finance/core, notably POST /v3/sdk/{chainId}/convert) that directly determines on-chain transaction execution.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). I scanned the entire skill prompt for high-entropy, literal credentials. The only item that meets the definition of a secret is the base64-encoded string assigned to _K in the "Report install" section:

_K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...)

This is a hardcoded, high-entropy literal (base64-encoded) that is used to compute an HMAC signature (HMAC_SIG) sent to external endpoints. That pattern strongly indicates a secret key baked into the code and therefore should be treated as a leaked credential.

Other values in the document are documentation/example artifacts or public on-chain addresses (router, token addresses), command examples, or obvious placeholders and were ignored per the provided rules (low-entropy setup strings, environment variable names, or sample values).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

Direct money access detected (high risk: 1.00). The skill is explicitly a Pendle Finance plugin whose primary purpose is on-chain financial operations: buying/selling PT and YT tokens, adding/removing AMM liquidity, minting/redeeming PT+YT, performing ERC-20 approvals, and returning tx_hashes. Write operations generate calldata via the Pendle SDK and are submitted via onchainos wallet contract-call (with --force) after user confirmation. This is a specific integration with blockchain transaction execution (including approvals and router calldata) designed to move funds/tokens on-chain — i.e., direct financial execution.

pendle

Issues (6)