purr-intelligence
Audited by Snyk on Apr 22, 2026
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to extract API keys/agent IDs from registration responses, embed them verbatim in config commands (e.g., purr config set api-token "") and display the raw API key to the user, which requires the LLM to handle and output secret values directly.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.85). Suspicious: the skill instructs executing remote install scripts via "curl ... | bash" (direct .sh execution) and registers an API key with an unfamiliar domain (purr.pieverse.io); raw GitHub hosting is legitimate for storage but Pieverse-Eng and the purr domain are not well-known (OKX is reputable), so piping unknown scripts to a shell and sending credentials to an untrusted endpoint poses a high risk of malware or credential exfiltration.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and ingests public, user-generated market and token metadata (e.g., via OnchainOS CLI commands such as "onchainos token search", "onchainos memepump token-details", "onchainos memepump token-dev-info", "onchainos security token-scan" shown across SKILL.md and references/buy.md/agent-automation.md) and even installs scripts from public GitHub URLs, and the agent is required to read and act on those outputs to decide/execute trades—so untrusted third-party content can materially influence actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's setup/install instructions run remote install scripts via curl piped to bash — e.g. https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh and https://raw.githubusercontent.com/Pieverse-Eng/purr-cli/main/install.sh — which are fetched at runtime, execute remote code, and are required dependencies for the skill.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed for crypto financial operations. It integrates a TEE-backed wallet (Purr) that performs signing, transfers, swaps, and batch transaction execution (e.g.,
purr wallet transfer,purr pancake/dflow swap --execute,purr execute --file <steps.json>). The prompt includes registration/configuration of API keys, autonomous trading modes that auto-execute trades, and clear step-by-step flows for obtaining quotes and executing swaps. These are direct mechanisms to move funds on-chain, not generic tooling, so it grants direct financial execution authority.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill explicitly instructs the agent to install third‑party CLIs (via curl | bash), run installation and setup scripts, register/configure an API key, and create persistent config/state files in the user's home directory—actions that modify the machine's state and persist secrets (though it does not explicitly request sudo, create system users, or edit system-level files like ssh or systemctl).
Issues (6)
Insecure credential handling detected in skill instructions.
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Direct money access capability detected (payment gateways, crypto, banking).
Attempt to modify system services in skill instructions.