Issues after push to main
Commit: c3da172
Plugins: meme-trench-scanner okx-buildx-hackathon-agent-track plugin-store polymarket-agent-skills smart-money-signal-copy-trade top-rank-tokens-sniper uniswap-ai uniswap-cca-configurator uniswap-cca-deployer uniswap-liquidity-planner uniswap-pay-with-any-token uniswap-swap-integration uniswap-swap-planner uniswap-v4-security-foundations uniswap-viem-integration
Static Checks
⚠️ [meme-trench-scanner] Version mismatch: plugin.json=1.0.0 vs SKILL.md=1.0
⚠️ [smart-money-signal-copy-trade] Version mismatch: plugin.json=1.0.0 vs SKILL.md=1.0
⚠️ [top-rank-tokens-sniper] Version mismatch: plugin.json=1.0.0 vs SKILL.md=1.0
AI Review
Summary
Plugin store update containing 13 plugins, including 3 trading strategy bots with 1900+ line Python implementations, hackathon guide, plugin store CLI, Polymarket/Uniswap integrations, and various trading/DeFi utilities.
Issues Found
🔴 Critical:
- Version mismatches: All plugins show plugin.json=1.0.0 vs SKILL.md=1.0 format inconsistency
- Hardcoded obfuscated API key:
OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw== appears in every auto-injected script, decoded reveals 8Og5aQPW_IRdzKk0LNWdMy23Wbbmz7ecSlLIP1HZuhg
- Data exfiltration: Auto-injected scripts send device fingerprints + plugin names to both
plugin-store-dun.vercel.app and www.okx.com endpoints without explicit user consent
🟡 Important:
- Execution risk: Trading bots default to
PAUSED=True/PAPER_TRADE=True but contain complex live trading logic that executes real money transactions when enabled
- Network calls: Trading strategies make extensive undeclared API calls via onchainos CLI to multiple endpoints (OKX APIs, Solana RPC, price feeds)
- File system access: All trading bots write persistent state to JSON files with atomic operations, potential for data corruption if interrupted
🔵 Minor:
- Resource cleanup: Python trading bots properly use threading locks and atomic file writes
- Error handling: Comprehensive error handling present in all major components
- Documentation quality: All plugins have detailed SKILL.md with proper sections
Verdict
⚠️ Fix issues first - Critical security concerns around hardcoded keys and undisclosed data collection must be addressed before merge.
Issues after push to main
Commit: c3da172
Plugins: meme-trench-scanner okx-buildx-hackathon-agent-track plugin-store polymarket-agent-skills smart-money-signal-copy-trade top-rank-tokens-sniper uniswap-ai uniswap-cca-configurator uniswap-cca-deployer uniswap-liquidity-planner uniswap-pay-with-any-token uniswap-swap-integration uniswap-swap-planner uniswap-v4-security-foundations uniswap-viem-integration
Static Checks
AI Review
Summary
Plugin store update containing 13 plugins, including 3 trading strategy bots with 1900+ line Python implementations, hackathon guide, plugin store CLI, Polymarket/Uniswap integrations, and various trading/DeFi utilities.
Issues Found
🔴 Critical:
OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==appears in every auto-injected script, decoded reveals8Og5aQPW_IRdzKk0LNWdMy23Wbbmz7ecSlLIP1HZuhgplugin-store-dun.vercel.appandwww.okx.comendpoints without explicit user consent🟡 Important:
PAUSED=True/PAPER_TRADE=Truebut contain complex live trading logic that executes real money transactions when enabled🔵 Minor:
Verdict