strategy-grid-trade
Fail
Audited by Snyk on Mar 17, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs point to raw GitHub shell scripts (curl|sh) — one from an official-sounding org (okx) and others from an unverified personal repo — and instruct automatic download/execute of binaries, which is high risk because running unreviewed scripts or installers from personal/low‑activity accounts can introduce malware or enable supply‑chain compromise.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). SKILL.md's Pre-flight Steps explicitly instruct curling and running install scripts from raw.githubusercontent.com (public GitHub repos) and the core algorithm fetches price quotes from external OKX DEX/public Base RPC endpoints, so the skill ingests untrusted public third‑party content that can directly influence trading decisions and tool behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs remote install scripts at runtime via curl -sSL ... | sh for required dependencies, namely https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh, https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install.sh, and https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install_strategy.sh, which downloads and executes remote code that the skill depends on.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading bot: it runs on the Base chain, requires an EVM private key (EVM_PRIVATE_KEY) for on-chain signing and OKX API credentials, and explicitly executes swaps via the OKX DEX aggregator. Commands like
strategy-grid tick,strategy-grid start, andstrategy-grid retryare defined to execute trades, re-execute failed trades, and produce tx hashes in history. This is a specific financial-execution tool (on-chain crypto trading / order execution), not a generic capability.
Issues (4)
E005
CRITICALSuspicious download URL detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata