spark-savings-plugin
Warn
Audited by Snyk on Jun 16, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's pre-flight install steps fetch and execute remote installer and binaries at runtime (notably the installer script https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh and the plugin binary/release assets under https://github.com/okx/plugin-store/releases/download/plugins/spark-savings-plugin@0.1.1/...), which are required dependencies and involve executing remote code.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly implements money-moving operations: deposit (USDS→sUSDS), withdraw (sUSDS→USDS), and upgrade-dai (DAI→USDS) with flows that perform ERC-20 approvals and then call onchainos wallet contract-call to sign & broadcast on-chain transactions. The commands accept a --confirm flag to submit transactions, return tx_hash, and describe retry/allowance/gas behavior and PSM/vault contract interactions (swapExactIn, deposit, redeem). Although it requires explicit confirmations, the plugin's primary purpose is to execute financial transactions on-chain, so it grants direct financial execution authority.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata