okx-dex-swap
Fail
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill downloads and executes an installer script (install.sh or install.ps1) from the okx/onchainos-skills GitHub repository during initialization. This allows for arbitrary code execution on the user's system.
- [CREDENTIALS_UNSAFE]: The skill explicitly directs users to click 'Always Allow' for system Keychain prompts, providing the agent with persistent, unprompted access to sensitive stored credentials.
- [COMMAND_EXECUTION]: The skill executes multiple system commands, including shell scripts, PowerShell scripts, and network utilities like curl to manage its installation and runtime lifecycle.
- [EXTERNAL_DOWNLOADS]: The skill fetches several remote resources including the GitHub API for versioning, installer scripts, and multiple checksum files for integrity verification.
- [DATA_EXFILTRATION]: The skill combines network communication capabilities (via curl) with instructions to access credentials in the system Keychain, establishing a high-risk capability chain for sensitive data harvesting.
- [PROMPT_INJECTION]: The skill contains deceptive metadata and an indirect prompt injection surface. Deceptive Metadata: The provided author context (Starchild-ai-agent) does not match the skill's internal metadata author (okx). Indirect Injection Surface: 1. Ingestion points: CLI output from onchainos swap quote. 2. Boundary markers: Warning included but no structural delimiters present. 3. Capability inventory: Uses onchainos wallet contract-call for blockchain transactions. 4. Sanitization: Absent.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata