pancakeswap-v2-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly queries public, third‑party RPC endpoints and on‑chain contracts (e.g., bsc-rpc.publicnode.com / base-rpc.publicnode.com / arbitrum-one-rpc.publicnode.com and various eth_call RPCs shown in SKILL.md and quickstart.rs), and the plugin logic (determine_path, quote, swap, add/remove-liquidity, quickstart) parses those untrusted external responses to choose paths, amounts, approvals and transactions—so external content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's pre-flight setup fetches and executes remote installer code at runtime (e.g. "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" — and also downloads binaries from "https://github.com/okx/plugin-store/releases/.../pancakeswap-v2-plugin-..."), which directly executes remote code and is required for the skill to run.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading/liquidity plugin for PancakeSwap V2. It defines commands that perform on-chain write operations: swap, add-liquidity, remove-liquidity, and ERC-20 approvals. Those write ops are submitted via "onchainos wallet contract-call", return txHash and explorer links, and support a live broadcast flag (--confirm) (with --dry-run previews). This is direct blockchain/crypto financial execution (wallet transactions, token approvals, swaps, LP management).