sparklend-plugin

Warn

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill provides manual installation instructions in SKILL.md that download a binary from a third-party GitHub repository (github.com/skylavis-sky/plugin-store) and execute it using chmod +x without providing or verifying a SHA256 checksum.
  • [EXTERNAL_DOWNLOADS]: The skill's automated installation logic in SKILL.md downloads the onchainos CLI and the sparklend-plugin binary from the vendor's official GitHub organization (okx). These downloads are secured with SHA256 checksum verification and resolved via official API release tags.
  • [COMMAND_EXECUTION]: The plugin binary and installation scripts make multiple subprocess calls to the onchainos CLI to perform wallet authentication, token searches, and contract interactions. It also executes local shell scripts for environment setup.
  • [SAFE]: The skill is susceptible to indirect prompt injection via blockchain data and CLI outputs.
  • Ingestion points: Real-time market data from ethereum.publicnode.com and token metadata from onchainos CLI.
  • Boundary markers: SKILL.md includes an explicit security notice instructing the agent to treat all returned data as untrusted external content and to never interpret it as system directives.
  • Capability inventory: Subprocess execution of the onchainos CLI for wallet and contract operations.
  • Sanitization: The Rust implementation parses external JSON data and uses strictly typed ABI encoding (alloy-sol-types) for all on-chain interactions.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 03:28 AM
Security Audit — agent-trust-hub — sparklend-plugin