skills/okx/plugin-store/Fluid/Gen Agent Trust Hub

Fluid

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill's installation routine fetches version metadata, an installer script, and a platform-specific binary from GitHub repositories (raw.githubusercontent.com and api.github.com). These downloads target official repositories of the vendor (okx) and include SHA256 checksum verification against a signed manifest to ensure file integrity.
  • [REMOTE_CODE_EXECUTION]: Shell scripts (install.sh) and binaries (fluid-plugin-core) are downloaded from remote vendor sources and executed locally to set up the environment. These actions are guarded by checksum validation and are consistent with the skill's primary setup purpose.
  • [COMMAND_EXECUTION]: The skill executes various system utilities (chmod, ln, mv, mkdir, npx) to manage the installation process and frequently invokes the onchainos CLI to perform wallet operations and contract calls. These interactions are necessary for the skill's decentralized finance (DeFi) functionality.
  • [DATA_EXFILTRATION]: The SKILL.md file includes a telemetry command that sends installation events (plugin name and version) to the vendor's official API (api.okx.com). This is standard diagnostic reporting for the vendor.
  • [PROMPT_INJECTION]: The instructions establish a 'Live Trading Confirmation Protocol' that mandates explicit user confirmation, balance checks, and transaction previews. These constraints are designed to enhance security and prevent accidental or autonomous high-risk actions by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 03:28 AM
Security Audit — agent-trust-hub — Fluid