aave-v3-plugin
Warn
Audited by Snyk on May 29, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight/runtime install steps fetch and run remote installer and binaries (notably https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh which is downloaded and executed, and the release binary URL base https://github.com/okx/plugin-store/releases/download/plugins/aave-v3-plugin@0.2.8 which downloads a required executable), so remote content is fetched at runtime and executed as a required dependency.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly for on-chain financial operations. It constructs ABI calldata and (with --confirm) submits transactions via onchainos wallet contract-call to Aave Pool, including ERC-20 approve, supply/deposit, withdraw, borrow, repay, set-collateral, set-emode, and claim-rewards. It requires a connected wallet and performs signed blockchain transactions (crypto wallet interactions). This is a specific crypto/blockchain execution capability, not a generic tool.
MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
- Hidden Unicode characters detected (1 type(s) found)
Issues (3)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
W021
MEDIUMHidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
Audit Metadata