okx-dex-trenches

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly calls public memepump endpoints (e.g., onchainos memepump tokens, token-details, token-dev-info, aped-wallet) that ingest on-chain and social metadata (token names, descriptions, logoUrl, social.x/telegram/website fields and pump.fun protocol data) from open/public sources and the SKILL.md workflows show that the agent reads and uses that untrusted content to drive decisions and follow-up actions (including swap execution), which enables indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight steps fetch and execute a remote installer at runtime (e.g., curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh" followed by "sh /tmp/onchainos-install.sh"), and it also queries the GitHub API ("https://api.github.com/repos/okx/onchainos-skills/releases/latest") to drive that behavior, so remote content is fetched and executed and is required for the skill to run.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes crypto transaction and wallet operations that can move funds. Examples: it references swap execution flows (onchainos swap quote → onchainos swap swap), broadcasting signed transactions (onchainos gateway broadcast --signed-tx), and direct agentic wallet calls to execute transactions (onchainos wallet contract-call for Solana and EVM with --value and --input-data). It also contains wallet management tips ("create a new wallet", "show my addresses") and describes getting swap calldata and executing transactions. These are specific crypto/chain signing and execution capabilities (not generic HTTP or browser automation), so the skill grants direct financial execution authority.