okx-dex-swap

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches public content (e.g., shared/preflight.md instructs curling GitHub API/releases and raw.githubusercontent.com installers, and the Execution Flow/CLI calls ingest on-chain/DEX aggregator quote fields and an OKX DEX API), and those untrusted third‑party responses (token names, quotes, router lists, installer payloads) are read and used to make routing/approval/execute decisions, so external content can materially influence tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's preflight explicitly downloads and executes a remote installer script at runtime (sh /tmp/onchainos-install.sh fetched from https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh), meaning remote code is fetched and run as a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto DEX aggregator with built-in transaction construction, signing, approval handling, and broadcasting. It exposes concrete commands like onchainos swap execute that perform quote → approve (if needed) → swap → sign & broadcast (returning tx hashes), requires wallet login/selection, supports slippage/gas/mev flags, and even has rules for forcing broadcasts and silent automated execution. These are specific, purpose-built crypto financial operations (wallet management, token swaps, transaction signing/broadcasting), not generic tooling. Therefore it grants Direct Financial Execution authority.