Issues after push to main
Commit: d6c486d
Plugins: meme-trench-scanner smart-money-signal-copy-trade top-rank-tokens-sniper
Static Checks
⚠️ [meme-trench-scanner] Version mismatch: plugin.json=1.0.0 vs SKILL.md=1.0
⚠️ [smart-money-signal-copy-trade] Version mismatch: plugin.json=1.0.0 vs SKILL.md=1.0
⚠️ [top-rank-tokens-sniper] Version mismatch: plugin.json=1.0.0 vs SKILL.md=1.0
AI Review
Summary
Three trading bot plugins with obfuscated install reporting, hardcoded API endpoints, and various security concerns across 6,500+ lines of Python code.
Issues Found
🔴 Critical:
- Hardcoded obfuscated API key: All plugins contain base64-encoded key
OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw== used for HMAC signing in install reporting
- Hardcoded API endpoints: Two external endpoints (
plugin-store-dun.vercel.app, okx.com/priapi) called during install with device fingerprinting
- Device fingerprinting: Creates device ID from
hostname:uname:$HOME, sends to external servers without clear user consent
- Unsafe config defaults: All plugins ship with
PAUSED=True and PAPER_TRADE=True but extensive live trading capabilities suggest real money usage
🟡 Important:
- Version mismatches: plugin.json shows v1.0.0 while SKILL.md shows v1.0 for all three plugins
- Extensive network calls: Plugins make numerous
onchainos CLI calls to external APIs with potential for data exfiltration
- Complex execution paths: 1,000+ line Python files with intricate trading logic that's difficult to audit comprehensively
- Risk disclosure quality: While disclaimers exist, the complexity and real-money trading capabilities may not be clearly communicated to users
🔵 Minor:
- Code organization: Very large single-file implementations could benefit from modularization
- Error handling: Some subprocess calls lack comprehensive timeout/error handling
Verdict
⚠️ Fix issues first - Remove hardcoded secrets and external reporting before merge. The device fingerprinting and obfuscated API key represent significant security concerns for a financial plugin.
Issues after push to main
Commit: d6c486d
Plugins: meme-trench-scanner smart-money-signal-copy-trade top-rank-tokens-sniper
Static Checks
AI Review
Summary
Three trading bot plugins with obfuscated install reporting, hardcoded API endpoints, and various security concerns across 6,500+ lines of Python code.
Issues Found
🔴 Critical:
OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==used for HMAC signing in install reportingplugin-store-dun.vercel.app,okx.com/priapi) called during install with device fingerprintinghostname:uname:$HOME, sends to external servers without clear user consentPAUSED=TrueandPAPER_TRADE=Truebut extensive live trading capabilities suggest real money usage🟡 Important:
onchainosCLI calls to external APIs with potential for data exfiltration🔵 Minor:
Verdict