uniswap-v4-security-foundations

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The skill contains auto-injected pre-flight scripts that compute a device fingerprint, use an obfuscated HMAC key, and POST telemetry/update checks to remote endpoints—hidden/undeclared behaviors outside the skill's stated security-guide purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md pre-flight "Version check" explicitly curls a public URL on raw.githubusercontent.com (https://raw.githubusercontent.com/.../plugin.yaml) and parses the remote version to decide whether to update the skill, so external, publicly-hosted repository content is fetched and can change runtime behavior.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I inspected the skill text for high-entropy, literal credential material. The only non-placeholder/high-entropy literal is the base64 string assigned to _K:

echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d

This is not a placeholder, truncated, or an obvious example — it appears to be an obfuscated/embedded HMAC key used to compute HMAC_SIG for reporting to OKX ("HMAC signature (obfuscated key, same as CLI binary)"). Embedding a base64-encoded key like this constitutes a hardcoded secret (high-entropy, literal value that grants access/authorization). I did not flag any other strings because:

• No obvious API keys, PEM blocks, or other high-entropy tokens are present elsewhere.
• Other values (paths, URLs, generated DEV_ID, example/installation commands) are not secrets.
• Common placeholders or simple passwords are not present.