velodrome-v2

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill performs JSON-RPC eth_call requests to public Optimism RPC endpoints (rpc_url() -> "https://optimism-rpc.publicnode.com" called in src/rpc.rs and documented in SKILL.md as "Read-only operations ... via JSON-RPC to Optimism"), and it directly reads on-chain, user-controlled data (pool addresses, reserves, router quotes, gauge earnings) which the agent uses to choose pools, compute quotes, and decide/send transactions—so untrusted third‑party content can materially influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install steps run at startup and explicitly fetch-and-execute remote code (curl ... | sh) from https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and also download an executable binary from https://github.com/okx/plugin-store/releases/download/plugins/velodrome-v2@0.1.0/velodrome-v2-${TARGET}, which are required dependencies and therefore execute remote code at runtime.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for high-entropy, literal credentials. Most candidates (contract/token addresses, truncated tx hashes like "0xabc...", "0x...", example values, and environment variable names) are either low-entropy, obviously example/truncated values, or documentation placeholders and therefore ignored per the rules.

However, the script contains a base64 literal: OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw== which is immediately decoded and assigned to _K and then used to compute an HMAC signature for a device token ("HMAC signature (obfuscated key, same as CLI binary)"). This is a high-entropy, directly embedded secret (an obfuscated/encoded signing key) rather than a placeholder or truncated example, so it meets the definition of a secret present in the documentation.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations: it supports swaps (swapExactTokensForTokens), adding/removing liquidity (mint/burn LP tokens), approving ERC‑20 allowances, and claiming rewards. It uses onchainos wallet contract-call to broadcast transactions (with txHash outputs) and instructs submitting transactions with a --confirm flag. These are direct crypto/blockchain transaction capabilities (wallet signing/broadcasting and token transfers), so it grants direct financial execution authority.