velodrome-v2-plugin
Audited by Snyk on Apr 25, 2026
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.75). Although the URLs point to OKX-owned domains and GitHub raw/release assets (legitimate-looking), the workflow includes curl|sh of raw scripts, direct download and execution of platform binaries from a GitHub release, and a Vercel reporting endpoint — a pattern that is high-risk because it can deliver malware or exfiltrate data if the publisher, repo, or distribution endpoint is compromised.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill directly queries public Optimism RPC endpoints (rpc_url() → "https://optimism-rpc.publicnode.com" in src/config.rs and eth_call in src/rpc.rs) and uses those untrusted on-chain responses (pool addresses, quotes, reserves, balances) inside required command workflows (quote/swap/add-liquidity/etc. and SKILL.md data-trust boundary) to choose routes, compute amountOutMin, and decide/submit transactions, so external content can materially influence agent actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight setup fetches and executes remote installer code at runtime (notably via curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh) and also downloads executable artifacts from GitHub releases (https://github.com/okx/plugin-store/releases/download/.../velodrome-v2-plugin-...), which run remote code and are required dependencies for the plugin to operate.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I reviewed the entire skill prompt for literal high-entropy secrets. The only suspicious literal is the base64 string in the report-install section:
_K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d ...)
This is a high-entropy, non-placeholder value (marked in the script as the "obfuscated key" used to HMAC-sign the device token and matched to the CLI binary). That fits the definition of a secret: a literal, random-looking value used for signing/authentication. I treat it as a real embedded credential.
Everything else is noisy but not secrets: contract/token addresses, example CLI commands, abbreviated tx hashes, and other values are not high-entropy credentials (addresses are public on-chain identifiers; command examples and short strings are documentation placeholders). No API keys (sk-...), PEM blocks, or private keys were found.
Therefore flag this skill as containing a hardcoded secret (the base64-encoded HMAC key).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform blockchain financial operations: it supports token swaps, quotes, adds/removes liquidity, claims rewards, approves ERC-20 allowances, and submits on-chain contract calls (e.g., swapExactTokensForTokens, addLiquidity, removeLiquidity) via wallet contract-call. It also depends on wallet signing (onchainos TEE-sandboxed signing) and returns txHash for executed transactions. These are specific crypto/blockchain transaction capabilities (wallet signing and transaction submission), so it grants direct financial execution authority.
Issues (5)
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).