dapp-morpho

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The instruction to curl and pipe https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install.sh into sh is high-risk because it executes an unreviewed shell script from an unknown personal GitHub account (even though https://github.com/okx/plugin-store appears to be an official repo), and running arbitrary .sh from raw.githubusercontent.com can execute malware or exfiltrate secrets.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly queries the public "Morpho GraphQL API" (SKILL.md "The Morpho GraphQL API is fully public") and returns market/vault fields including metadata.description and metadata.forumLink which the workflow instructs the agent to read and use to compare markets and decide deposits/withdrawals, so untrusted third‑party content can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs at runtime to run a remote installer via curl -sSL https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install.sh | sh which fetches and immediately executes remote code (and the skill requires the resulting plugin-store to run), creating a high-risk dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly supports on-chain deposit and withdrawal operations. It documents a "vault client" that performs ERC-4626 deposit/withdraw with automatic ERC-20 approval and requires an EVM_PRIVATE_KEY to sign transactions. Multiple sections (Authentication, Workflow B, Operation Flow Step 3 Action phase, and Edge Cases) state that the private key is used to sign deposit/withdraw transactions on-chain and instruct users to set EVM_PRIVATE_KEY for deposits/withdrawals. Those are explicit instructions and tools to move funds (send transactions), not generic read-only or browsing capabilities.