web3-safe-guide

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). This is a direct raw GitHub link to an install.sh script (meant to be curl | sh), which grants arbitrary remote code execution; even though it's hosted under the "okx" GitHub account (a known crypto exchange), piping unreviewed shell scripts from the web is high-risk unless you verify the repo, commit history, and script contents first.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly runs onchainos CLI commands (e.g., token search, token price-info, token holders, market signal-list, and swap quote) as described in SKILL.md to ingest public on-chain and market signal data, and those untrusted third-party results are directly used to compute safety scores and decide whether to proceed with or refuse swaps, so external content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly requires running a remote install script at runtime via "curl -sSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh", which fetches and executes remote code and is a required dependency for the skill (onchainos CLI).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for cryptocurrency trading and includes concrete, purpose-built commands to prepare and execute on-chain swaps. It uses the onchainos CLI swap workflow (onchainos swap quote, swap approve, onchainos swap swap) to produce approval calldata and swap transaction data, accepts a --wallet parameter, and includes transaction tracking via gateway orders. These are specific crypto/blockchain execution capabilities (wallet/approve/swap/tx submission), not generic tooling, and therefore provide direct financial execution authority for moving funds on-chain.