gmx-v2-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly fetches and ingests data from open public third-party sources — e.g., the GMX/ RPC endpoints listed in plugin.yaml (https://arbitrum-api.gmxinfra.io, https://avalanche-api.gmxinfra.io, publicnode RPCs) and remote GitHub raw URLs/curl checks in SKILL.md — and that untrusted runtime data is parsed and used to drive decisions and next actions (e.g., quickstart status, pre-flight checks, and whether to broadcast transactions), so it can materially influence tool use and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's pre-flight install step downloads and then executes a remote installer script at runtime (sh "$ONCHAINOS_TMP/install.sh") from https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh, which constitutes executing fetched remote code required for the skill to function.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading plugin for GMX V2 with built-in write operations that submit on-chain transactions via an authenticated wallet. It supports opening/closing leveraged positions, placing/canceling orders, depositing/withdrawing pool liquidity, and claiming fees — all of which call smart-contract functions and broadcast transactions (via onchainos wallet contract-call, --confirm flag, and returning txHash). This is a specific financial execution capability for crypto/blockchain asset management and transaction signing, not a generic tool. Therefore it meets the "Direct Financial Execution" criteria.