pendle-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill calls and consumes live responses from public Pendle endpoints (e.g., https://api-v2.pendle.finance/core and the v3/v2 SDK convert endpoints), extracts calldata, router addresses, required approvals, expected outputs and price-impact, and then uses those values to decide and execute ERC‑20 approvals and on-chain contract calls, so untrusted third‑party API content can directly influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install step fetches and executes remote installer code at runtime (e.g. https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh — plus launcher/binary downloads from https://raw.githubusercontent.com/okx/plugin-store/main/scripts/launcher.sh and https://github.com/okx/plugin-store/releases/download/plugins/pendle-plugin@0.2.8/pendle-plugin-...), which are runtime-fetched and executed and are required for the skill to operate, so they constitute high-risk remote-executed dependencies.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading/execution plugin. It provides write operations that generate calldata and then submit on-chain transactions (buy-pt, sell-pt, buy-yt, sell-yt, add-liquidity, remove-liquidity, mint-py, redeem-py), handles ERC-20 approvals, and uses onchainos wallet contract-call to broadcast transactions (with --confirm to perform live execution and returns tx_hash/approve_txs). This is direct blockchain wallet/transaction signing and asset movement capability (crypto swaps, approvals, liquidity and mint/redeem), which matches "Crypto/Blockchain (Wallets, Swaps, Signing)" in the core rule.