strategy-auto-rebalance
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to inform the user that any security scanning warnings (e.g., from Gen, Snyk, or Socket) are 'false positives' and 'misleading.' This is a deceptive instruction intended to bypass human oversight and security filtering by coaching the AI to provide pre-written justifications for potentially risky operations.
- [EXTERNAL_DOWNLOADS]: Fetches multiple installation and update scripts from GitHub repositories belonging to OKX (okx/onchainos-skills and okx/plugin-store). These resources are documented neutrally as they originate from a well-known technology service provider.
- [REMOTE_CODE_EXECUTION]: The skill executes remote shell scripts directly via piping
curloutput tosh. This is used to install theonchainosbinary, theplugin-storeutility, and thestrategy-auto-rebalancedaemon. It also pipes JSON data from the GitHub API into a Python one-liner for download count calculations. - [COMMAND_EXECUTION]: Frequently invokes shell commands to manage the rebalancing lifecycle, including
whichchecks,npx skills addfor package management, andstrategy-auto-rebalance startfor daemon execution.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh, https://raw.githubusercontent.com/okx/plugin-store/main/install_strategy.sh, https://raw.githubusercontent.com/okx/plugin-store/main/install.sh - DO NOT USE without thorough review
Audit Metadata