pancakeswap-v3-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches public third-party data (e.g., QuoterV2 via eth_call in the quote/swap flows, TheGraph subgraph in positions, and multiple public RPC / GitHub raw URLs shown in SKILL.md and plugin.yaml), the agent is required to read and act on those responses to compute quotes, slippage, tick ranges and to decide/send transactions, and those external responses could therefore influence tool use and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install step downloads and executes a remote installer script at runtime from https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh (and also fetches launcher and binaries from raw.githubusercontent.com / github.com releases), which fetches and runs remote code as a required dependency for the skill.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading/DEX plugin: it performs token swaps (swap command), ERC-20 approvals, mints/removes V3 LP positions (add-liquidity, remove-liquidity), and broadcasts on-chain transactions via onchainos wallet contract-call (with --confirm to submit). It lists smart contract addresses, requires wallet connection, and returns transaction hashes. These are specific, purpose-built blockchain financial execution actions (moving/switching tokens and managing liquidity), not generic tooling. Therefore it grants direct financial execution capability.