Is aaronllee/easy-swap safe?

The skill's metadata declares required_context: [api_key, secret_key, passphrase, user_wallet_address, private_key_or_signer]. In skill-aware agent runtimes, this instructs the agent to obtain and hold the user's raw blockchain private key in its working context before invoking the skill. Private keys in LLM context are exposed to prompt injection attacks, context logging, and accidental output. This is categorically unsafe regardless of whether the skill itself is malicious.

The skill's complete flow — get swap calldata → sign with private key → broadcast to chain — results in irreversible on-chain transfers. Any agent confusion, prompt injection, or parameter manipulation during this flow can permanently transfer user funds. The skill provides no confirmation gate or simulation-before-execution pattern.

The broadcast endpoint sends fully signed transactions to OKX's servers rather than directly to the blockchain. OKX gains full visibility into wallet addresses, swap frequency, token holdings, and transaction timing. The HMAC-authenticated API calls also send OKX_ACCESS_KEY and OKX_PASSPHRASE on every request.

The skill documents feePercent (up to 3% EVM / 10% Solana), fromTokenReferrerWalletAddress, toTokenReferrerWalletAddress, and swapReceiverAddress parameters. A prompt-injected or maliciously updated skill could silently populate these with attacker-controlled addresses on every swap invocation, draining value without user awareness.

scripts/easy_swap.py is a production-ready client that reads private keys, signs EVM and Solana transactions, and broadcasts them. While no malicious patterns are present, including a ready-to-run financial transaction script in a skill lowers the barrier for accidental or induced misuse by an agent with tool-use capabilities.

The skill recommends considering max uint256 approvals for repeated swaps. Agents following this guidance grant the OKX router contract unlimited authority to spend any amount of the approved token, persisting across sessions. If the OKX router is compromised or the approval is granted erroneously, funds can be drained without any additional user action.

While not a prompt injection attack per se, the required_context declaration trains users and agent frameworks to treat private key provision as a normal precondition for skill use. This social normalization effect could lead users to provide private keys to agents for other skills that do not legitimately require them.

The skill metadata lists author as 'Claude Assistant', suggesting it was generated by an LLM rather than reviewed and published by a human author. This reduces accountability and makes it harder to verify provenance or contact a maintainer for security issues.

The install process performed a standard sparse git clone from github.com, copied only the skill files, and removed the temporary clone. No unexpected network destinations, no new persistent listeners, no filesystem changes outside the skill directory.

Honeypot files including .env, id_rsa, AWS credentials, npmrc, Docker config, and GCloud credentials were all verified intact after install. No canary content appeared in captured network traffic.