lido-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required pre-flight steps in SKILL.md instruct the agent to fetch and potentially execute files from public URLs (e.g., curl to raw.githubusercontent.com for plugin.yaml, launcher.sh, and installer scripts) and its runtime commands also fetch data from public third‑party APIs (yields.llama.fi and wq-api.lido.fi), meaning untrusted external content is ingested as part of the workflow and can influence updates or actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's auto-injected pre-flight steps fetch and execute remote code at runtime—specifically the installer script at https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh (downloaded and run with sh), the launcher at https://raw.githubusercontent.com/okx/plugin-store/main/scripts/launcher.sh (downloaded and used as the executable launcher), and the plugin binary from https://github.com/okx/plugin-store/releases/download/plugins/lido-plugin@0.2.8/lido-plugin- (downloaded and made executable)—which satisfies runtime fetching and execution of external content the skill relies on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto financial plugin: it defines commands that create and submit on-chain transactions to move value (stake ETH, request withdrawals, claim ETH, wrap/unwrap stETH/wstETH). It includes concrete contract addresses, ABI selectors, calldata examples, and explicit execution steps using onchainos wallet contract-call to broadcast transactions and wait for confirmations. Those are specific crypto/blockchain transaction and wallet operations (signing/sending on-chain transfers), not generic tooling. Although it requires user confirmation, the primary purpose is to perform financial actions on-chain (staking, claiming, transferring value), so it meets the "Direct Financial Execution" criteria.