okx-agentic-wallet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask for and embed verification codes (onchainos wallet verify ) and to display API key values to the user (show both keys and confirm switch), which requires outputting secrets verbatim and therefore creates exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Pre-flight Checks explicitly instruct the agent to fetch release metadata and download installer/checksum files from public GitHub endpoints (curl "https://api.github.com/repos/okx/onchainos-skills/releases/latest" and raw.githubusercontent.com / github.com/releases URLs), which are public, user-controlled third‑party content that the agent must read/verify and then may execute—directly meeting the criteria for indirect prompt-injection risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight checks explicitly download and execute a remote installer script (sh /tmp/onchainos-install.sh) from raw GitHub at https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh, which fetches and runs remote code and is required for the skill to operate.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a cryptocurrency wallet agent with commands to authenticate wallets, view balances, and — critically — send tokens and execute smart contract calls (e.g., onchainos wallet send, onchainos wallet contract-call, MEV-protected broadcasts, TEE signing, transaction broadcasting). It includes explicit flows for transfers (native, ERC‑20/SPL), contract interactions, signing, and broadcasting transactions. Because it is specifically designed to move crypto funds (not a generic API caller or browser automation), it grants Direct Financial Execution authority.