okx-agent-payments-protocol

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). This skill requires the agent to pass full challenge JSON into CLI commands and to return ready-to-paste authorization headers (X-PAYMENT / PAYMENT-SIGNATURE / authorization_header), which forces the LLM to emit signature/session tokens or similarly sensitive header values verbatim — creating an exfiltration risk even if signing is done by external tools.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly makes and decodes arbitrary HTTP responses from third-party servers (SKILL.md Step A1–A3) — ingesting untrusted PAYMENT-REQUIRED / WWW-Authenticate headers and a2a payment challenges (also described in references/a2a_charge.md) whose parsed fields directly determine routing, signing actions, and subsequent tool use, so third-party content can influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payment dispatcher for blockchain/EVM payments (OKX Agent Payments Protocol). It contains specific, finance-focused operations: assembling payment authorization headers, signing and replaying payment requests, opening/top-up/closing payment channels, producing tx-hash/status, handling EIP-3009 flows, and invoking wallet- and payment-specific CLI commands (onchainos payment pay, onchainos payment pay-local, onchainos wallet status/login). These are direct crypto/transaction execution capabilities (wallet signing, broadcasting, channel management, and a2a payment flows), so it grants Direct Financial Execution Authority.