euler-v2-plugin
Warn
Audited by Snyk on Jun 16, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The pre-flight runtime steps download and execute remote installer code (e.g. sh "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh") and fetch/install binaries/scripts from GitHub (e.g. https://raw.githubusercontent.com/okx/plugin-store/main/scripts/launcher.sh and https://github.com/okx/plugin-store/releases/download/…/euler-v2-plugin-), and also run npx installs that execute code from the registry — these are runtime fetches that execute remote code and are required for the skill.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto-finance execution plugin for Euler v2 on Ethereum/Base/Arbitrum. It exposes state-changing commands that sign and broadcast on-chain transactions (e.g., supply via IERC20.transfer + vault.skim, withdraw/redeem, borrow, repay via vault.repayWithShares, enable/disable-collateral/controller, claim-rewards) and invokes onchainos wallet contract-call to submit writes. Those commands directly move tokens and modify on-chain balances; the manifest even describes transaction signing, gas estimates, and OKX TEE wallet integration. Although a confirmation protocol and safety gates are specified, the skill's primary purpose is to initiate and sign blockchain money-moving operations. Therefore it provides direct financial execution capability (crypto/blockchain wallet & transaction signing).
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata