SushiSwap V3
Warn
Audited by Snyk on Jun 16, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill fetches and executes or relies on remote runtime content: e.g. https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh (downloaded and then executed after checksum verification), https://github.com/okx/plugin-store/releases/download/plugins/sushiswap-v3-plugin@0.1.2/... (downloads the plugin binary which is installed/executed), and https://api.sushi.com/swap/v7/... (queried at runtime to return router address and calldata that the agent uses to build and send on‑chain transactions), so these URLs are runtime dependencies that directly control execution.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly performs on-chain crypto financial actions: it builds, signs and broadcasts transactions for swaps and liquidity management. Examples:
sushiswap-v3-plugin ... swap ... --confirm(executes swap and returns tx_hash),mint-position ... --confirm(approves tokens and mints LP),remove-liquidity,collect-fees, andburn-positionall send transactions. The doc also referencesonchainos wallet contract-calland wallet balance/address checks and automatic token approvals — i.e. direct wallet signing and broadcasting of blockchain transactions. This is direct crypto/blockchain execution authority (wallets, swaps, signing), so it meets the Direct Financial Execution criteria.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata