okx-agent-task
Warn
Audited by Snyk on Jul 4, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.75). Outsider free text can enter the LLM context via the user-sub-session peer chat: inbound
a2a-agent-chatmessages from the counterparty (e.g., negotiation text or deliverable-related content) are routed intonext-action/role playbooks, and those playbooks instruct the agent to pass/handle the received message content verbatim (e.g., negotiation replies and deliverable handling), which is outsider-authored.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's preflight explicitly fetches and executes remote installer code at runtime (e.g. it calls the GitHub API https://api.github.com/repos/okx/onchainos-skills/releases/latest and downloads/executes the installer script from https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh and related release files at https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt), which are runtime external fetches that may execute remote code and are required for the skill to install/update the onchainos binary.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is a blockchain-based task marketplace that explicitly references on-chain identities (ERC-8004), escrow/payment modes, task statuses that map to funds movement (e.g., "funds released to ASP", "funds returned to user"), and direct use of wallet/CLI commands (e.g., "onchainos wallet login",
onchainos agent gate-check, executing returned scripts fromonchainos agent next-action) which imply signing and submitting on-chain transactions. These are explicit crypto/blockchain wallet and funds-execution capabilities (not merely generic browsing or HTTP calls), so it grants direct financial execution authority.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata