okx-growth-competition

Fail

Audited by Snyk on May 29, 2026

Risk Level: HIGH
Full Analysis

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the entire skill text for literals that meet the "secret" definition (high-entropy, usable credentials). I found one high-entropy literal that appears to be an API/project header key:
  • "OK-ACCESS-PROJECT: 4d156bf0c61130f2692d097ecb68dbe4" — this is a 32-hex-character token presented as an extra header in API/CLI examples. It is not a placeholder (no "YOUR_*" text), looks random/opaque, and therefore qualifies as a secret (likely an API/project key).

Other candidate-looking values are ignored for the reasons below:

  • "5747d742-..." (truncated accountId), "0x8e3f..." (truncated address), "7KRu...", "5abc..." etc. — truncated/redacted, not full usable credentials → ignored.
  • Masked nicknames like "Agentic....abcd" — intentionally masked/example strings → ignored.
  • Short/simple strings in examples (e.g., "hippo", "HIPPO", "50000 HIPPO") — low-entropy or obvious examples → ignored.
  • Any internal numeric IDs shown as examples are documentation data, not secrets.

Conclusion: the documentation contains a real-looking, high-entropy header token ("4d156bf0c61130f2692d097ecb68dbe4"), which should be treated as a secret.


MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly includes on-chain trading and claiming capabilities: it delegates trades to an OKX dex swap tool (swap_swap / okx-dex-swap) and describes executing swaps; it also exposes an atomic competition_claim MCP/CLI that performs signing and on-chain broadcast (returns txHash array) using the TEE-managed wallet key. It also covers competition_join/claim flows that resolve wallets and perform on-chain transactions. These are specific crypto transaction/Wallet signing and broadcast operations (Direct Financial Execution).

MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

  • Hidden Unicode characters detected (1 type(s) found)

Issues (3)

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

W021
MEDIUM

Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

Audit Metadata
Risk Level
HIGH
Analyzed
May 29, 2026, 11:35 AM
Issues
3
Security Audit — snyk — okx-growth-competition