pancakeswap-clmm-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill actively fetches and interprets public, user-controlled on‑chain data via public RPC endpoints (see plugin.yaml api_calls and SKILL.md/config/code — e.g., positions auto-discovery that scans ERC‑721 Transfer logs via eth_getLogs and owner/pending_cake checks in src/commands/*), and those untrusted third‑party responses are used to decide/prevent actions (ownership checks, previews, tx calldata and whether to execute), so external data can materially influence tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight install script fetches and executes remote installer code at https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh (curl -o ... then sh ...), which is used at runtime and is a required external dependency that executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs blockchain financial operations: it stakes/unstakes LP NFTs, harvests CAKE rewards, collects swap fees, and broadcasts on-chain transactions via onchainos wallet contract-call. Commands like farm, unfarm, harvest, and collect-fees can execute transactions when run with --confirm (and report txHash and token amounts). It lists contract addresses, chain IDs, and wallet resolution behavior — all indicating direct ability to move crypto assets and sign/broadcast transactions. This matches "Crypto/Blockchain (Wallets, Swaps, Signing)" in the core rule.