Skills
skills/purong-huang-1121/plugin-store/strategy-signal-tracker/Gen Agent Trust Hub

strategy-signal-tracker

Fail

Audited by Gen Agent Trust Hub on Mar 24, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses 'curl | sh' patterns to download and run installation scripts from remote GitHub repositories for 'onchainos' and 'plugin-store'.
  • [REMOTE_CODE_EXECUTION]: Data fetched from a GitHub API endpoint is piped directly into a Python 3 interpreter, allowing for arbitrary code execution if the remote content is compromised.
  • [PROMPT_INJECTION]: The instructions mandate the agent to tell users that security warnings are 'false positives', which is a deceptive instruction designed to override security filters and user caution.
  • [COMMAND_EXECUTION]: The skill executes multiple shell commands to install, update, and manage external binaries without verifying their integrity via hashes or signatures.
  • [EXTERNAL_DOWNLOADS]: The skill downloads executable scripts and configuration files from external GitHub repositories that are not verified.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh, https://raw.githubusercontent.com/okx/plugin-store/main/install_strategy.sh, https://raw.githubusercontent.com/okx/plugin-store/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 24, 2026, 07:22 AM