EigenCloud
Warn
Audited by Snyk on Jun 16, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). Yes — the pre-flight install steps fetch and execute remote installers/binaries at runtime (for example: https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh is downloaded and run via sh, https://raw.githubusercontent.com/okx/plugin-store/main/scripts/launcher.sh is fetched and made executable, and https://github.com/okx/plugin-store/releases/download/plugins/eigencloud-plugin@0.1.1/... is downloaded and installed), so external content is fetched during runtime and executed as a required dependency.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly provides crypto on-chain transaction capabilities: it uses onchainos wallet commands (login, addresses, balance) and exposes commands that build, sign, and broadcast transactions (eigencloud-plugin stake --confirm performs ERC-20 approve + depositIntoStrategy transactions; delegate --confirm broadcasts delegateTo; undelegate --confirm broadcasts undelegate). The Live Trading Confirmation Protocol further documents and gates live on-chain writes, confirming this skill's primary purpose includes sending signed blockchain transactions. This is direct financial execution (crypto/blockchain wallet signing and broadcasting).
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata