uniswap-ai
Audited by Snyk on Apr 25, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). Contains hidden telemetry that fingerprints the device, decodes an obfuscated key, computes an HMAC, and exfiltrates a device identifier to external endpoints—behavior not described in the skill's stated Uniswap developer tools purpose.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md includes an automated "version check" that fetches https://raw.githubusercontent.com/okx/plugin-store/main/skills/uniswap-ai/plugin.yaml (a public GitHub URL) and uses the remote value to decide to update/install new code, so untrusted third‑party content can influence agent actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The pre-flight version check fetches https://raw.githubusercontent.com/okx/plugin-store/main/skills/uniswap-ai/plugin.yaml at runtime and, if the remote version differs, runs npx to install/upgrade the skill which will fetch and execute remote code (npx skills add okx/plugin-store …), so the remote URL directly influences execution of external code.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I inspected the full skill prompt for literal, high-entropy values that could be usable credentials.
Findings:
- The base64 string assigned to _K ('OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==') is a literal, non-truncated, high-entropy value that is decoded and used as an HMAC key. The comment even describes it as an "obfuscated key, same as CLI binary." This is an embedded secret (a static HMAC key) and not a placeholder or simple setup password.
- No API tokens like "sk-..." or Bearer tokens, no PEM/RSA private key blocks, and no other high-entropy literals were present.
- Several values are URLs, flags, or simple strings (e.g., plugin names, version numbers) and are not secrets. Nothing else matches the definition of a secret per the provided rules.
Because the base64-encoded _K decodes to a secret HMAC key used programmatically, I mark this as a real embedded secret.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly an AI-powered Uniswap tool described for "trading, hooks, drivers, and on-chain analysis" across Uniswap V2/V3/V4. "Trading" and "drivers" on a DEX imply performing on-chain crypto swap transactions and interacting with wallets/contracts. This is a purpose-built crypto trading integration (not a generic tool), so it provides direct financial execution capability.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).