fix(vertex-edge): move SKILL.md to root for skill discoverability

[skylavis-sky]

Copies SKILL.md from skills/vertex-edge/skills/vertex-edge/SKILL.md to skills/vertex-edge/SKILL.md so that npx skills add MigOKG/plugin-store --skill vertex-edge can find it.

[github-actions]

📋 Phase 3: AI Code Review Report — Score: 75/100

Plugin: aerodrome-amm | Recommendation: 🔍 Needs changes

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: claude-opus-4-6 via Anthropic API | Cost: ~240044+5654 tokens

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

1. Plugin Overview

Field	Value
Name	aerodrome-amm
Version	0.1.0
Category	defi-protocol
Author	GeoGu360 (GeoGu360)
License	MIT
Has Binary	Yes (with build config)
Risk Level	High (DeFi write operations: swap, liquidity, rewards)

Summary: This plugin enables interaction with Aerodrome Finance's classic AMM (volatile/stable pools) on Base chain (8453). It supports token swaps, liquidity management (add/remove), pool queries, LP position viewing, and AERO gauge reward claiming. Read operations use direct JSON-RPC calls to a public Base node, while write operations delegate to onchainos wallet contract-call.

Target Users: DeFi users who want to interact with Aerodrome Finance's classic AMM pools on Base through an AI agent interface.

2. Architecture Analysis

Components:

• Skill (SKILL.md)
• Binary (Rust source, compiled to aerodrome-amm)

Skill Structure:
SKILL.md contains: pre-flight dependency installation (onchainos CLI + skills + binary), 7 commands (quote, swap, pools, positions, add-liquidity, remove-liquidity, claim-rewards), supported token symbols, contract addresses, error handling, skill routing, and security notices. Well-structured with clear command documentation.

Data Flow:

1. Read operations (quote, pools, positions): Binary makes eth_call JSON-RPC requests directly to https://base-rpc.publicnode.com to read on-chain state (reserves, balances, allowances, pool addresses)
2. Write operations (swap, add-liquidity, remove-liquidity, claim-rewards): Binary constructs ABI-encoded calldata locally, then shells out to onchainos wallet contract-call to sign and broadcast via onchainos CLI
3. Wallet resolution: Binary calls onchainos wallet addresses to get the user's EVM address

Dependencies:

• onchainos CLI (for wallet operations and transaction signing)
• base-rpc.publicnode.com (public Base RPC node for read operations)
• Aerodrome Finance contracts on Base (Router, PoolFactory, Voter)
• Rust crates: clap, tokio, reqwest, serde, serde_json, anyhow, hex (all standard, well-maintained)

3. Auto-Detected Permissions

onchainos Commands Used

Command Found	Exists in onchainos CLI	Risk Level	Context
onchainos wallet addresses	✅ Yes	Low	Resolve wallet address for chain
onchainos wallet contract-call	✅ Yes	High	Execute all write operations (swap, approve, add/remove liquidity, claim)
onchainos --version	✅ Yes	Low	Pre-flight check in SKILL.md
onchainos wallet login	✅ Yes	Medium	Referenced in pre-flight for authentication

Wallet Operations

Operation	Detected?	Where	Risk
Read balance	Yes	rpc.rs — get_balance(), get_allowance() via direct RPC	Low
Send transaction	Yes	onchainos.rs — wallet_contract_call() via onchainos CLI	High
Sign message	No
Contract call	Yes	onchainos.rs — all write ops use onchainos wallet contract-call	High

External APIs / URLs

URL / Domain	Purpose	Risk
https://base-rpc.publicnode.com	JSON-RPC read calls (eth_call) for pool data, balances, reserves	Low
https://plugin-store-dun.vercel.app/install	Install telemetry reporting (SKILL.md pre-flight)	Medium
https://www.okx.com/priapi/v1/wallet/plugins/download/report	Install telemetry reporting (SKILL.md pre-flight)	Medium
https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh	onchainos CLI installer (SKILL.md pre-flight)	Medium
https://github.com/MigOKG/plugin-store/releases/download/...	Binary download (SKILL.md pre-flight)	Medium

Chains Operated On

• Base (chain ID 8453) — exclusively

Overall Permission Summary

This plugin has high financial permissions: it can execute token swaps, manage ERC-20 approvals (including unlimited approvals to the Aerodrome Router), add/remove liquidity from AMM pools, and claim gauge rewards — all via onchainos wallet contract-call. Read operations query on-chain state directly via a public RPC endpoint. The plugin is scoped to Base chain only. The pre-flight section includes install telemetry that reports plugin usage to external servers with a device fingerprint.

4. onchainos API Compliance

Does this plugin use onchainos CLI for all on-chain write operations?

✅ Yes

On-Chain Write Operations (MUST use onchainos)

Operation	Uses onchainos?	Self-implements?	Detail
Wallet signing	✅	No	All signing via onchainos wallet contract-call
Transaction broadcasting	✅	No	All broadcasting via onchainos wallet contract-call
DEX swap execution	✅	No	Builds calldata in Rust, broadcasts via onchainos
Token approval	✅	No	ERC-20 approve calldata built locally, broadcast via onchainos
Contract calls	✅	No	All contract interactions use onchainos wallet contract-call
Token transfers	N/A	No	No direct token transfers, only swaps/liquidity

Data Queries (allowed to use external sources)

Data Source	API/Service Used	Purpose
Base blockchain	base-rpc.publicnode.com (JSON-RPC eth_call)	Read pool reserves, balances, allowances, factory lookups, gauge rewards

External APIs / Libraries Detected

• reqwest crate for HTTP calls to Base RPC
• Direct JSON-RPC calls to https://base-rpc.publicnode.com
• No web3/ethers libraries — raw ABI encoding implemented manually
• No direct RPC for write operations (all writes go through onchainos)

Verdict: ✅ Fully Compliant

All on-chain write operations (swap, approve, add liquidity, remove liquidity, claim rewards) use onchainos wallet contract-call. The plugin only uses direct RPC for read-only eth_call operations, which is allowed.

5. Security Assessment

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

Rule ID	Severity	Title	Matched?	Detail
C01	CRITICAL	curl | sh remote execution	✅	SKILL.md pre-flight: `curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh
M01	MEDIUM	Supply chain unpinned	✅	SKILL.md: npx skills add okx/onchainos-skills --yes --global and npx skills add MigOKG/plugin-store --skill plugin-store --yes --global — no version pinning
M02	MEDIUM	Unverifiable dep	✅	npx skills add commands without version pins
M07	MEDIUM	Missing untrusted data boundary	✅	SKILL.md has a "Security Notices" section with untrusted data boundary declaration — partially addressed but not in the format matching M07's exact requirements for all CLI data processing instructions
H05	INFO	Direct financial operations	✅	Plugin performs swap, add/remove liquidity, claim rewards — financial operations present
L02	LOW	Undeclared network	✅	plugin-store-dun.vercel.app and www.okx.com/priapi/... endpoints in the telemetry reporting section are not declared in the main skill routing or API calls section

Phase 3.5 Ruling on C01: The curl | sh pattern appears in SKILL.md, which is the agent execution path. Per the rules, this is CRITICAL when in SKILL.md. However, reviewing context: the install.sh is from the onchainos official repository and is a standard installation pattern used by all onchainos plugins. The binary download does NOT use pipe-to-shell but downloads then chmods separately, which is safer. The curl | sh for onchainos install.sh itself remains CRITICAL per rules.

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Judge	Severity	Detected	Confidence	Evidence
L-PINJ	CRITICAL	Not detected	0.9	No hidden instructions, no pseudo-system tags, no obfuscation. CLI parameter construction uses hardcoded selectors and addresses, not user-injected shell commands.
L-MALI	CRITICAL	Not detected	0.85	Plugin behavior matches its description. Telemetry reporting in pre-flight is somewhat suspicious but appears to be standard plugin-store analytics, not data exfiltration. The HMAC key obfuscation is unusual but the data sent (plugin name, version, device hash) is non-sensitive.
L-MEMA	HIGH	Not detected	0.95	No writes to MEMORY.md, SOUL.md, or any persistent agent memory files.
L-IINJ	MEDIUM	Detected	0.75	Plugin makes external requests to Base RPC and returns on-chain data (token names, addresses, amounts) which enters agent context. SKILL.md includes untrusted data boundary declaration in Security Notices section, mitigating this to INFO level.
L-AEXE	INFO	Detected	0.8	Write operations have --confirm flag requirement documented. However, wallet_contract_call_with_value() in onchainos.rs always passes --force without user confirmation. The main wallet_contract_call() only passes --force when the force parameter is true, which is controlled by the --confirm CLI flag.
L-FINA	INFO	Detected	0.8	Write operations with explicit --confirm flag + user confirmation prompts documented. Uses onchainos wallet for credential gating. Swap has slippage controls. Approvals use unlimited amounts (u128::MAX) which is a concern but standard DeFi practice.

Toxic Flow Detection (TF001-TF006)

Toxic Flow	Triggered?	Detail
TF005	⚠️ Potential	C01 (curl|sh in SKILL.md) + H05 (financial operations) — The install script from the official onchainos repo is piped to shell, and the plugin has financial capabilities. However, the install is from the official GitHub repo (okx/onchainos-skills), and the financial operations require separate wallet authentication.
TF006	Not triggered	M07 partially addressed (untrusted data boundary present in Security Notices), and H05 present, but the boundary declaration exists.

TF005 Assessment: The curl | sh is for installing onchainos CLI itself (official repo), not for installing the plugin binary (which uses a download-then-chmod pattern). This is a standard pattern across all official onchainos skill examples. While technically a CRITICAL toxic flow per rules, the practical risk is mitigated by the source being the official OKX repository. Per rules, this still constitutes TF005 → CRITICAL → FAIL.

Prompt Injection Scan

No instruction override, identity manipulation, hidden behavior, confirmation bypass, or unauthorized operations detected. No base64-encoded instructions, no invisible characters, no HTML comments with hidden directives.

Result: ✅ Clean

Dangerous Operations Check

• Plugin performs: swaps, ERC-20 approvals (unlimited), liquidity management, reward claiming
• Confirmation mechanism: --confirm flag required for write operations; SKILL.md documents "Ask user to confirm" before each write operation
• Concern: wallet_contract_call_with_value() always passes --force, bypassing onchainos confirmation — but this function is marked #[allow(dead_code)] and is never called
• Concern: Unlimited ERC-20 approvals (u128::MAX) are used for Router approval — standard DeFi pattern but high-risk

Result: ⚠️ Review Needed — Unlimited approvals and the dead-code force-flag function warrant attention

Data Exfiltration Risk

• Pre-flight telemetry sends: plugin name, version, device ID (SHA256 of hostname:os:arch:home) to plugin-store-dun.vercel.app and www.okx.com
• No sensitive data (private keys, wallet addresses, balances) is exfiltrated
• RPC calls only go to public Base node for read operations
• Device fingerprint is a one-way hash, not reversible

Result: ⚠️ Potential Risk — Telemetry reporting sends device fingerprint to external servers, though no sensitive wallet data is leaked

Overall Security Rating: 🟡 Medium Risk

The plugin is well-architected for security (all writes via onchainos, read-only RPC, confirmation flags), but the curl | sh in SKILL.md combined with financial operations technically triggers TF005. The telemetry reporting and unlimited approvals add minor risk factors.

6. Source Code Security (if source code is included)

Language & Build Config

• Language: Rust (edition 2021)
• Entry point: src/main.rs
• Binary name: aerodrome-amm

Dependency Analysis

Dependency	Version	Status
clap	4	✅ Well-maintained, widely used
tokio	1	✅ Well-maintained, standard async runtime
reqwest	0.12 (rustls-tls)	✅ Well-maintained, using rustls (no OpenSSL)
serde	1	✅ Well-maintained
serde_json	1	✅ Well-maintained
anyhow	1	✅ Well-maintained
hex	0.4	✅ Well-maintained

No suspicious, unmaintained, or vulnerable dependencies detected. All are standard Rust ecosystem crates.

Code Safety Audit

Check	Result	Detail
Hardcoded secrets (API keys, private keys, mnemonics)	✅ Clean	No secrets found. Contract addresses are public on-chain data.
Network requests to undeclared endpoints	✅ Clean	Only base-rpc.publicnode.com (declared in plugin.yaml)
File system access outside plugin scope	✅ Clean	No file system access in source code
Dynamic code execution (eval, exec, shell commands)	⚠️ Note	Uses std::process::Command::new("onchainos") to shell out — this is the intended design pattern for onchainos integration, not arbitrary code execution
Environment variable access beyond declared env	✅ Clean	No environment variable reads in source code
Build scripts with side effects (build.rs, postinstall)	✅ Clean	No build.rs or custom build scripts
Unsafe code blocks (Rust)	✅ Clean	No unsafe blocks

Does SKILL.md accurately describe what the source code does?

Yes — the SKILL.md accurately documents all 7 commands, their parameters, contract addresses, and behavior. The source code implements exactly what is described. The --confirm flag behavior is correctly documented. The distinction between read (direct RPC) and write (onchainos) operations is accurately represented.

Verdict: ✅ Source Safe

7. Code Review

Quality Score: 75/100

Dimension	Score	Notes
Completeness (pre-flight, commands, error handling)	19/25	7 commands well-implemented. Error handling present but could be more robust (e.g., RPC timeout handling, retry logic). Pre-flight section is comprehensive but contains the curl|sh pattern.
Clarity (descriptions, no ambiguity)	20/25	SKILL.md is well-structured with clear command documentation, parameter tables, and flow descriptions. Minor: some println! output mixes human-readable text with JSON output.
Security Awareness (confirmations, slippage, limits)	18/25	--confirm flag for write ops, slippage controls for swaps, untrusted data boundary declaration. Deduction: unlimited ERC-20 approvals (u128::MAX), no amount caps documented, wallet_contract_call_with_value always forces.
Skill Routing (defers correctly, no overreach)	12/15	Correctly routes to okx-dex-swap for cross-DEX aggregation, okx-defi-portfolio for portfolio tracking. Stays within Aerodrome AMM scope.
Formatting (markdown, tables, code blocks)	6/10	Good markdown structure. Some JSON output in code uses direct string formatting instead of proper serde serialization. Minor formatting inconsistencies.

Strengths

• Clean architecture: Clear separation between read operations (direct RPC) and write operations (onchainos CLI), following the onchainos plugin model correctly
• Comprehensive command coverage: All major AMM operations (quote, swap, liquidity management, positions, rewards) are implemented with proper ABI encoding
• Manual ABI encoding: No web3 library dependency for calldata construction — all encoding is done manually in Rust, reducing attack surface and dependency chain

Issues Found

• 🔴 Critical: TF005 — curl | sh in SKILL.md + financial operations: The pre-flight section pipes the onchainos installer script directly to shell. Per security rules, this combined with financial operations constitutes TF005. Replace with: download script first, verify SHA256, then execute.

  # Instead of: curl -fsSL ...install.sh | sh
  curl -fsSL ...install.sh -o /tmp/install.sh
  curl -fsSL .../installer-checksums.txt -o /tmp/checksums.txt
  # verify checksum, then execute

• 🟡 Important: Unlimited ERC-20 approvals: build_approve_calldata(router, u128::MAX) approves the maximum possible amount to the Router contract. While standard in DeFi, this is a risk if the Router contract is ever compromised. Consider approving only the needed amount.

• 🟡 Important: wallet_contract_call_with_value() always passes --force: This dead-code function bypasses onchainos confirmation. While currently unused (#[allow(dead_code)]), if enabled in the future it would skip user confirmation for payable contract calls. Remove or add force parameter.

• 🟡 Important: Telemetry with HMAC-obfuscated key: The pre-flight "Report install" section contains a base64-encoded HMAC key used to sign device fingerprints. While the data sent is non-sensitive, the obfuscation pattern is suspicious and the endpoints (plugin-store-dun.vercel.app, www.okx.com/priapi/...) should be explicitly documented.

• 🔵 Minor: Mixed output format: Some commands print both human-readable text and JSON to stdout, which may confuse agent parsing. Consider sending human-readable output to stderr and JSON to stdout.

• 🔵 Minor: No RPC retry logic: Direct RPC calls have no retry or timeout configuration beyond reqwest defaults. A single failed RPC call will fail the entire operation.

8. Recommendations

1. [CRITICAL] Replace curl | sh in pre-flight: Download the installer script and verify its checksum before executing, matching the pattern used in official onchainos security skill examples that include SHA256 verification.

2. [HIGH] Add SHA256 verification for binary download: The aerodrome-amm binary download in pre-flight lacks checksum verification. Add a checksums file and verify before chmod+execute.

3. [MEDIUM] Replace unlimited approvals with exact amounts: Change build_approve_calldata(router, u128::MAX) to approve only the amount needed for the current operation, or at minimum document the risk to users.

4. [MEDIUM] Remove or fix wallet_contract_call_with_value(): Either remove this dead code or add a force: bool parameter to match the wallet_contract_call() pattern.

5. [MEDIUM] Document telemetry endpoints: Explicitly list plugin-store-dun.vercel.app and www.okx.com/priapi/... in the SKILL.md and plugin.yaml api_calls section.

6. [LOW] Separate human-readable and JSON output: Send diagnostic/progress messages to stderr, JSON results to stdout for cleaner agent integration.

7. [LOW] Add RPC retry logic: Implement at least one retry with backoff for JSON-RPC calls to handle transient network failures.

8. [LOW] Pin dependency versions in SKILL.md: Add version pins to npx skills add commands (e.g., npx skills add okx/onchainos-skills@v2.2.7).

9. Reviewer Summary

One-line verdict: Well-architected Aerodrome AMM plugin with correct onchainos integration for all write operations, but the curl | sh installer pattern in SKILL.md combined with financial operations triggers a critical toxic flow (TF005) that must be addressed before merge.

Merge recommendation: 🔍 Needs changes before merge

Required changes:

1. Replace curl -fsSL .../install.sh | sh with download → verify checksum → execute pattern
2. Add SHA256 verification for the aerodrome-amm binary download
3. Remove or fix the dead wallet_contract_call_with_value() function that always passes --force
4. Declare telemetry endpoints (plugin-store-dun.vercel.app, www.okx.com/priapi/...) in plugin.yaml api_calls

---

Generated by Claude AI via Anthropic API — review the full report before approving.

[github-actions]

Phase 4: Summary + Pre-flight for aerodrome-amm

Review below. AI Code Review is in a separate check.

---

Auto-injected Pre-flight

## Pre-flight Dependencies (auto-injected by Plugin Store CI)

> Run once per session before first use. These checks ensure required tools are installed.

### Install onchainos CLI + Skills (auto-injected)

```bash
# 1. Install onchainos CLI
onchainos --version 2>/dev/null || curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh

# 2. Install onchainos skills (enables AI agent to use onchainos commands)
npx skills add okx/onchainos-skills --yes --global

# 3. Install plugin-store skills (enables plugin discovery and management)
npx skills add MigOKG/plugin-store --skill plugin-store --yes --global

Install aerodrome-amm binary (auto-injected)

if ! command -v aerodrome-amm >/dev/null 2>&1; then
  OS=$(uname -s | tr A-Z a-z)
  ARCH=$(uname -m)
  case "${OS}_${ARCH}" in
    darwin_arm64)  TARGET="aarch64-apple-darwin" ;;
    darwin_x86_64) TARGET="x86_64-apple-darwin" ;;
    linux_x86_64)  TARGET="x86_64-unknown-linux-gnu" ;;
    linux_aarch64) TARGET="aarch64-unknown-linux-gnu" ;;
  esac
  curl -fsSL "https://github.com/MigOKG/plugin-store/releases/download/plugins/aerodrome-amm@0.1.0/aerodrome-amm-${TARGET}" -o ~/.local/bin/aerodrome-amm
  chmod +x ~/.local/bin/aerodrome-amm
fi

Report install (auto-injected, runs once)

REPORT_FLAG="$HOME/.plugin-store/reported/aerodrome-amm"
if [ ! -f "$REPORT_FLAG" ]; then
  mkdir -p "$HOME/.plugin-store/reported"
  # Device fingerprint → SHA256 → 32-char device ID
  DEV_RAW="$(hostname):$(uname -s):$(uname -m):$HOME"
  DEV_ID=$(echo -n "$DEV_RAW" | shasum -a 256 | head -c 32)
  # HMAC signature (obfuscated key, same as CLI binary)
  _K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d 2>/dev/null || echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | openssl base64 -d)
  HMAC_SIG=$(echo -n "${_K}${DEV_ID}" | shasum -a 256 | head -c 8)
  DIV_ID="${DEV_ID}${HMAC_SIG}"
  unset _K
  # Report to Vercel stats
  curl -s -X POST "https://plugin-store-dun.vercel.app/install" \
    -H "Content-Type: application/json" \
    -d '{"name":"aerodrome-amm","version":"0.1.0"}' >/dev/null 2>&1 || true
  # Report to OKX API (with HMAC-signed device token)
  curl -s -X POST "https://www.okx.com/priapi/v1/wallet/plugins/download/report" \
    -H "Content-Type: application/json" \
    -d '{"pluginName":"aerodrome-amm","divId":"'"$DIV_ID"'"}' >/dev/null 2>&1 || true
  touch "$REPORT_FLAG"
fi

---

</details>

---
*Generated by Plugin Store CI after maintainer approval.*

[github-actions]

🔨 Phase 2: Build Verification — ✅ PASSED

Plugin: aerodrome-amm | Language: rust
Source: @

Compiled from developer source code by our CI. Users install our build artifacts.

Build succeeded. Compiled artifact uploaded as workflow artifact.

---

Source integrity: commit SHA `` is the content fingerprint.