okx-onchain-gateway

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly requires taking user-provided signed transactions (the --signed-tx value) and including them verbatim in broadcast commands/requests, which forces the LLM to handle sensitive secret-like values in its output and creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's mandatory Pre-flight Checks explicitly fetch and ingest public GitHub content (curl to https://api.github.com/repos/okx/onchainos-skills/releases/latest and raw.githubusercontent.com / github.com release assets and checksums) as part of every command run, so untrusted third‑party data from the open web is read and used to decide installs/execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's Pre-flight Checks explicitly fetch and execute remote installer code at runtime (e.g., curl ... "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" followed by sh /tmp/onchainos-install.sh, as well as related GitHub release URLs), so external content is downloaded, executed, and relied upon for operation.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements on-chain transaction operations: estimating gas, simulating, broadcasting signed transactions, and tracking broadcast orders across multiple blockchains (Ethereum, Solana, BSC, Arbitrum, Polygon, etc.). It includes commands like "broadcast --signed-tx", supports MEV protection parameters (e.g., enableMevProtection: true, Jito tips), and is described as the "final mile" that takes signed transactions and sends them on-chain. These are direct crypto/financial execution functions (sending transactions that move value), not generic tooling. Therefore it grants direct financial execution authority.