compound-v2-plugin
Warn
Audited by Snyk on Jun 16, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install steps fetch and execute remote installers at runtime (notably "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" — and additional downloads from "https://raw.githubusercontent.com/okx/plugin-store/main/scripts/launcher.sh" and "https://github.com/okx/plugin-store/releases/download/...") which run remote code required to install onchainos and the plugin, so this is a runtime external dependency that executes code.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto financial execution plugin for Compound V2. It defines state-changing on-chain commands (withdraw -> cToken.redeemUnderlying, repay -> cToken.repayBorrow, claim-comp -> Comptroller.claimComp, enter-markets, exit-market, and preserved supply/borrow flows) and describes signing/broadcast via onchainos (e.g., "onchainos wallet contract-call", wallet addresses, balances, tx_hash outputs). It includes transaction-level details (uint256.max sentinel for --all repay, payable cETH paths, estimated gas, tx confirmation), installation of onchainos CLI, and a mandatory live-mode/typed-confirmation flow for broadcasting. Because it directly composes, signs, and submits blockchain transactions (crypto wallet signing/broadcast), it provides direct financial execution capability.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata