Security audit

Okx Security

Security checks across malware telemetry and agentic risk

Overview

This is a real crypto security helper, but it asks an agent to run an unreviewed remote installer and includes wallet-connected transaction paths that need careful review.

Install only if you trust OKX's onchainos GitHub release and are comfortable with an agent installing or updating a local CLI. Before use, require explicit approval before any installer runs, before the active wallet address is used, and before any approval revoke, contract-call, broadcast, or swap execution. For simple token or URL checks, prefer giving explicit contract addresses or URLs rather than letting the skill inspect a whole wallet portfolio.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill reference expands from passive security scanning into wallet-balance retrieval and portfolio inspection workflows, which broadens the data access and operational scope beyond what the skill metadata promises. In an agent setting, this can cause the model to collect unnecessary wallet data and normalize transitioning from analysis into transactional workflows, increasing privacy and safety risk.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The cross-skill workflow instructs the agent to move from token safety analysis into swap approval, tx execution, and broadcast steps. For a security-scan skill, this is dangerous because it can turn a read-only safety check into an execution path that influences or performs asset-moving actions, creating a real risk of unauthorized or unsafe approvals and trades.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The document says standalone scans should only present risk, but elsewhere recommends actions like swapping or selling based on scan results. This inconsistency is risky because agents may treat advisory output as permission to recommend or initiate financial actions, blurring the line between assessment and execution.

Description-Behavior Mismatch

Low

Confidence: 92% confidence
Finding: The documentation tells users that after a safe tx-scan they should 'Check wallet balance,' which conflicts with the skill manifest's explicit boundary that wallet balance functionality belongs to a different skill. This is not a direct code-execution flaw, but it can cause scope confusion, incorrect tool routing, and accidental invocation of capabilities outside the intended security-review context.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to download and execute an installer script on the user's system, which is a system-modifying action with execution risk. Although checksum verification is described, the skill does not require an explicit user-facing consent step before installation or script execution, creating a dangerous path for unexpected code execution in response to a routine scan request.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to default to the currently logged-in wallet's EVM address when the user does not specify one, but it does not require an explicit privacy notice or confirmation before querying approval data. This can cause unintended exposure of a user's wallet-linked security posture and transaction metadata, especially if the user did not intend to use the active wallet context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The revoke workflow describes constructing revoke calldata and then broadcasting or executing the transaction, but it does not require an explicit final confirmation gate immediately before on-chain execution. In a security-focused skill, this is dangerous because users may treat the workflow as an automated safe path and inadvertently trigger irreversible on-chain actions, including on the wrong token, spender, or chain.

Missing User Warnings

Low

Confidence: 75% confidence
Finding: The skill describes querying and displaying holdings for arbitrary addresses without any warning about privacy, attribution, or user consent. Although blockchain addresses are public, an agent exposing portfolio summaries can still create privacy and targeting risks, especially if users are encouraged to inspect third-party addresses casually.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal