pump-fun
Audited by Snyk on Apr 12, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The skill contains obfuscated, non-functional install/reporting steps that compute a device fingerprint and HMAC-signed token and POST it to external endpoints—a hidden/exfiltration behavior unrelated to the stated buy/sell/price functionality.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). Although the URLs point to recognizable hosts (okx.com, github.com/raw.githubusercontent.com) and likely come from the OKX organization, they include direct executable downloads (GitHub release binaries), a raw shell script intended to be piped/run (curl | sh), and telemetry/reporting endpoints (Vercel + OKX priapi) that collect device identifiers — making them potentially risky and worth caution.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The SKILL.md and Data Trust Boundary explicitly show the skill queries public Solana on-chain accounts / Solana RPC (via pump-fun get-token-info and get-price) and the agent is expected to read those untrusted, public on-chain values to calculate prices and decide buy/sell actions, so third-party on-chain content can materially influence tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight installation runs at runtime and directly fetches and executes remote code — notably the install script fetched and piped to sh from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh (and it also downloads a required binary from https://github.com/okx/plugin-store/releases/download/plugins/pump-fun@0.1.0/pump-fun-), so external content is executed and required for the skill.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned for literal, high-entropy values that would function as real credentials. The base64 string assigned to _K ('OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==') is decoded and used as an HMAC key for signing a device token—this is a real embedded secret (high-entropy, not a placeholder). Other values (program ID, RPC URLs, env var names, example passwords, command-line examples) are either public identifiers, placeholders, or low-entropy documentation examples and are therefore ignored.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly built to perform cryptocurrency transactions on Solana: it provides buy and sell operations that route through "onchainos swap execute --chain solana", handles SOL↔token swaps on bonding curves/DEXes, and reports transaction signatures. These are concrete crypto/blockchain transaction functions (sending on-chain transactions), not generic tooling. Although it requires user confirmation and supports dry-run, the primary purpose is executing financial actions on-chain (buy/sell tokens), so it grants direct financial execution capability.
Issues (6)
Prompt injection detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).