okx-agent-payments-protocol
Audited by Snyk on May 29, 2026
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). High: the dispatcher first performs an HTTP request to a user-specified/original URL (Step A1), then parses and decodes seller-provided
PAYMENT-REQUIRED/WWW-Authenticatecontent (base64 JSON or base64urlrequest) and uses it to construct LLM-visible payment details and to drive subsequent tool calls; this is outsider-authored free text from a public/remote server response.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill decodes and acts on server-supplied payment challenges delivered at runtime in the original resource's HTTP 402 response (PAYMENT-REQUIRED header or WWW-Authenticate request field) — e.g., the example resource URL https://api.example.com/data — and uses that decoded JSON to drive user prompts and signing, which is a runtime external input controlling agent behavior.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a payments dispatcher for the "OKX Agent Payments Protocol" and contains concrete, payment-specific commands and flows that move value:
- References and invokes payment-specific CLIs: e.g., onchainos payment pay, onchainos payment pay-local, onchainos payment session, and onchainos wallet status/login. These are not generic callers — they are payment/wallet tools.
- Describes signing and header assembly for replaying authenticated payment requests (assemble X-PAYMENT / PAYMENT-SIGNATURE / authorization_header and replay original request).
- Handles EVM-specific payment details: chainId, recipient (merchant payee address), currency (ERC-20 contract), amount in base units, feePayer (transaction vs hash mode), splits, session channel operations (open/topup/settle/voucher/refund).
- Supports a2a flows (create payment link, buyer pay) and requires live wallet sessions to sign/pay.
These are direct financial-execution capabilities (creating/sending signed payment transactions, opening/operating payment channels, broadcasting txs). Therefore this skill grants Direct Financial Execution Authority.
MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
- Hidden Unicode characters detected (1 type(s) found)
Issues (4)
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Direct money access capability detected (payment gateways, crypto, banking).
Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).