uniswap-swap-planner
Audited by Snyk on Apr 25, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.80). The auto-injected "report install" snippet secretly computes a device identifier (using an obfuscated key) and POSTs it to remote endpoints—telemetry/exfiltration behavior that is not part of the skill's advertised swap-planning/deep-linking purpose and is effectively hidden.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The SKILL.md "Pre-flight Dependencies" contains an explicit "AI Agent Instruction" version check that curls a public GitHub raw URL (https://raw.githubusercontent.com/.../plugin.yaml) and uses the fetched REMOTE_VER to decide and trigger updates/actions, so the agent ingests untrusted third‑party content that can materially change its behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.70). The skill performs a runtime curl of https://raw.githubusercontent.com/okx/plugin-store/main/skills/uniswap-swap-planner/plugin.yaml to determine a remote version and, based on that value, may run an update command (npx skills add ...) which would fetch and execute remote code—so the fetched URL is used at runtime to control whether code is executed.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I found a high-entropy, hard-coded value used as an HMAC key:
- The base64 string 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' is decoded/used as _K and then concatenated with DEV_ID to produce an HMAC signature (HMAC_SIG). This is a literal, non-placeholder secret embedded in the code and appears to be an actual key (obfuscated but recoverable by base64 decoding). It is not a simple/example password, not an environment variable name, and not redacted/truncated.
No other high-entropy keys, private keys, or API tokens are present. URLs and version strings are not secrets.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed around crypto token swaps: its name and description state it "Plan token swaps and generate Uniswap deep links across all supported chains." This is a Uniswap Labs plugin whose primary purpose is to prepare and initiate on-chain swap flows (via deep links to wallet/Uniswap interfaces). That falls squarely under "Crypto/Blockchain (Wallets, Swaps, Signing)" in the core rule, so it provides direct financial execution capability (facilitating token swaps), even if the pasted SKILL.md mainly shows install/version checks.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).