okx-agentic-wallet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to display API keys (and to echo verification codes/keys in CLI commands) — requiring the LLM to output sensitive secrets verbatim, which is an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required pre-flight (see _shared/preflight.md) mandates calling the public GitHub API (https://api.github.com/repos/okx/onchainos-skills/releases/latest) and downloading installer scripts/checksums from raw.githubusercontent.com/releases — mandatory runtime fetching and execution of public repository content that directly influences installation and subsequent agent behavior exposes it to untrusted third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's shared preflight explicitly runs runtime fetch-and-execute commands (e.g., curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.shthensh /tmp/onchainos-install.sh`) so it fetches remote code from raw.githubusercontent.com and executes it as a required installation step.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is expressly a crypto wallet / on-chain transaction executor. It defines explicit commands for sending native tokens and ERC‑20/SPL tokens (onchainos wallet send), performing contract calls (onchainos wallet contract-call), signing (personalSign, EIP‑712, TEE signing), exporting wallets, managing Gas Station (enable/disable/update-default-token/setup) and other on‑chain write operations. These are specific crypto/ blockchain financial actions (wallet transfers, swaps/contract interactions, signing and broadcasting txs), not generic tooling. Therefore it grants Direct Financial Execution authority.