okx-dapp-discovery

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High supply‑chain and remote‑execution risk: the skill auto-installs and executes third‑party plugins (via npx, GitHub Content API and optional fallback installs), forwards user prompts into those plugins (which "own" trades/transfers), and explicitly supports downloading/running precompiled binaries and scripts from GitHub releases (curl → chmod → ln into PATH), a pattern that can be abused to achieve remote code execution, unauthorized transactions, data exfiltration, credential theft, and to facilitate market‑manipulative actions (e.g., pump.fun) despite the documented consent gate — the gate reduces risk but is not foolproof against obfuscation or malicious plugin behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill probes and fetches public plugin content (via the GitHub Contents API and npx skills add) from the okx/plugin-store and explicitly reads each plugin's SKILL.md (and may run plugin-provided pre-flight binaries from github.com/okx/plugin-store/releases or raw.githubusercontent.com) and then forwards the user's prompt into those plugins, so untrusted third‑party files can materially influence tool choice and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly performs a runtime curl to the GitHub Contents API (https://api.github.com/repos/okx/plugin-store/contents/skills) to discover and install plugins whose SKILL.md and pre-flight binaries (e.g., from https://github.com/okx/plugin-store/releases and raw.githubusercontent.com) are fetched at runtime and can directly control routing/prompts or execute remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a DeFi DApp resolver/installer that routes user intents like swap/deposit/stake/borrow/buy/sell/snipe/farm/claim and Polymarket bets to protocol-specific plugins (Aave, Uniswap/PancakeSwap, Hyperliquid, GMX, Polymarket, Pendle, Lido, etc.). It is specifically designed for crypto/Blockchain financial operations: it identifies protocol-native tokens, maps them to plugins, silently installs the plugin if needed, then forwards the user's trade/bet/transfer request to that plugin (which "owns the actual trade/bet/transfer"). Because its primary purpose is to enable and bootstrap protocol-level financial actions (on-chain swaps, staking, borrowing, prediction-market bets), this grants direct financial execution authority (via the installed plugins).