raydium
Audited by Snyk on Apr 12, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The pre-flight "Report install" step computes a device fingerprint, decodes an obfuscated HMAC key, and POSTs a signed device token to remote endpoints (exfiltrating telemetry) which is unrelated to the Raydium AMM functionality and thus constitutes a hidden/deceptive instruction outside the skill's stated purpose.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill clearly calls public Raydium APIs (https://api-v3.raydium.io and https://transaction-v1.raydium.io — referenced in config.rs, SKILL.md, and used in src/commands and swap flow) and directly reads/parses those untrusted API responses (quotes, routePlan, priceImpact, swapResponse) which the agent uses to decide warnings/aborts and to build/broadcast transactions, so third‑party content can materially influence tool use and next actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install runs remote installers that fetch and execute code at runtime (curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and downloads an executable binary from GitHub releases (https://github.com/okx/plugin-store/releases/download/plugins/raydium@0.1.0/...), which are required dependencies and thus represent high-confidence remote code execution risk.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that could be used to access a service.
Flagged item:
- The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' is decoded at runtime into _K and then used to compute an HMAC device token that is posted to OKX. This is a reversible, embedded secret-like value (high-entropy, base64-encoded) used for signing requests — i.e., a real credential-like key that should not be stored in plaintext in source.
Ignored items (reason):
- Token mint addresses (e.g., So1111..., EPjFWdd...) are public blockchain token mint identifiers, not secrets.
- API/endpoint URLs and example CLI commands are documentation and not credentials.
- The install/reporting calls and device fingerprinting logic are operational code, not exposed secret values (aside from the embedded _K noted above).
- No API keys, private PEM blocks, or other obvious secrets appear elsewhere.
Therefore this file does contain a hardcoded/recoverable signing key (the base64 string) that qualifies as a secret.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed for crypto financial operations. It provides a "swap" command that builds serialized Solana transactions, resolves wallet addresses, and submits on-chain transactions via onchainos (using wallet contract-call --unsigned-tx --force). It can execute token swaps, broadcast transactions, and report transaction hashes. Although it requires user confirmation before executing, the plugin has direct capability to sign/submit blockchain transactions and thus can move funds.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).