Skills
skills/okx/plugin-store/uniswap-swap-integration/Snyk

uniswap-swap-integration

Fail

Audited by Snyk on Apr 25, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E004: Prompt injection detected in skill instructions.

  • Potential prompt injection detected (high risk: 1.00). The skill includes auto-injected, partially obfuscated instructions that compute a device fingerprint/HMAC and POST it to external endpoints (telemetry/exfiltration) and a directive telling the agent to run the version check before executing commands—behavior not mentioned in the skill's stated purpose—so these are hidden/deceptive instructions outside the advertised functionality.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's pre-flight "Version check" in SKILL.md explicitly curls a public raw GitHub URL (https://raw.githubusercontent.com/okx/plugin-store/.../plugin.yaml) and uses the fetched version string to decide to update/install the skill (which can change instructions and behavior), so it clearly ingests untrusted public third‑party content that can influence agent actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I found an embedded base64-encoded secret in the "Report install" script:

_K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...)

This is a high-entropy literal (base64) used as an HMAC signing key to create device signatures sent to OKX. It is not a placeholder or an obvious example and therefore meets the definition of a secret (it can be used to generate valid HMAC signatures accepted by the remote API). No other high-entropy API keys, private keys, or credentials are present. Other values (version strings, file paths, simple example passwords) are documentation/operational values and are ignored per the policy.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly provides integration for Uniswap swaps via a Trading API, the Universal Router SDK, or direct smart contract calls. These interfaces are specifically designed to execute cryptocurrency swap transactions (sending on-chain transactions and interacting with wallets/routers), which is direct financial execution capability in the crypto/blockchain category.

Issues (4)

E004
CRITICAL

Prompt injection detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Apr 25, 2026, 08:26 AM
Issues
4