coinank-openapi
Warn
Audited by Snyk on Jun 16, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The pre-flight install step fetches and executes remote installer code at runtime (curl to https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh and then sh "$ONCHAINOS_TMP/install.sh", with related checksum download from https://github.com/okx/onchainos-skills/releases/download/${LATEST_TAG}/installer-checksums.txt), so the skill performs a runtime fetch that executes external code and relies on it for the onchainos dependency.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly handles Agent Payments Protocol / x402 pay-per-call flows and references crypto payment tooling: it requires and delegates payment execution to okx-agent-payments-protocol and okx-agentic-wallet, describes signing schemes (EOA vs contract wallet), mandates generating payment proofs or using the
chargeflow, and instructs replaying requests with payment headers after payment. These are specific crypto payment/signing integrations (wallet signing/payment gateway behavior), so the skill is designed to initiate/coordinate on-chain or payment actions rather than being purely generic. Therefore it grants Direct Financial Execution capability (via delegated OKX payment skills).
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata