etherfi-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly fetches untrusted, public third-party data (on-chain RPC at https://ethereum-rpc.publicnode.com and external APIs at yields.llama.fi and coins.llama.fi) in required workflows (positions and quickstart) and uses those responses to produce onboarding "next_command", balance/allowance checks and to decide/preview/broadcast transactions, so external content can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's auto-injected pre-flight installs fetch and execute remote code at runtime — e.g. it downloads and runs the onchainos installer script from "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" and also downloads a signed plugin binary from "https://github.com/okx/plugin-store/releases/download/plugins/etherfi-plugin@0.2.10/etherfi-plugin-${TARGET}${EXT}", so required runtime content is fetched remotely and executed.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto financial execution plugin. It provides specific on-chain write operations that move funds: "stake" (deposit ETH into the LiquidityPool, sends msg.value), "unstake" (request and claim withdrawals that burn eETH and send ETH), "wrap"/"unwrap" (convert eETH <-> weETH), and related ERC-20 approve flows. It documents concrete contract addresses, ABI selectors, and uses onchainos wallet contract-call to build and broadcast transactions (with --confirm), returning tx hashes. These are purpose-built blockchain payment/asset-management actions (wallet signing and broadcasting), not generic tooling — therefore this grants Direct Financial Execution Authority.