fix(zerolend): move SKILL.md to root for skill discoverability

[skylavis-sky]

Copies SKILL.md from skills/zerolend/skills/zerolend/SKILL.md to skills/zerolend/SKILL.md so that npx skills add MigOKG/plugin-store --skill zerolend can find it.

[github-actions]

📋 Phase 3: AI Code Review Report — Score: 72/100

Plugin: aerodrome-amm | Recommendation: 🔍 Needs changes

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: claude-opus-4-6 via Anthropic API | Cost: ~240044+5762 tokens

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

1. Plugin Overview

Field	Value
Name	aerodrome-amm
Version	0.1.0
Category	defi-protocol
Author	GeoGu360 (GeoGu360)
License	MIT
Has Binary	Yes (with build config)
Risk Level	HIGH — performs on-chain swaps, liquidity operations, token approvals, and reward claims

Summary: This plugin enables users to interact with Aerodrome Finance's classic AMM (volatile/stable pools) on Base (chain 8453). It supports swapping tokens, querying pool info and quotes, managing LP positions (add/remove liquidity), and claiming AERO gauge rewards. Read-only operations use direct JSON-RPC calls to a public Base node, while write operations are routed through onchainos wallet contract-call.

Target Users: DeFi users who want to provide liquidity, swap tokens, or farm AERO rewards on Aerodrome Finance on the Base network.

2. Architecture Analysis

Components:

• Skill (SKILL.md)
• Binary (Rust, aerodrome-amm)

Skill Structure:
SKILL.md contains: pre-flight dependency installation, plugin binary installation, install reporting, 7 command descriptions (quote, swap, pools, positions, add-liquidity, remove-liquidity, claim-rewards), supported token symbols table, contract addresses, error handling table, skill routing section, and security notices. Well-structured with clear command documentation.

Data Flow:

1. Read-only operations (quote, pools, positions): Binary makes direct eth_call JSON-RPC requests to https://base-rpc.publicnode.com to query on-chain state (reserves, balances, allowances, pool addresses).
2. Write operations (swap, add-liquidity, remove-liquidity, claim-rewards): Binary constructs ABI-encoded calldata locally, then shells out to onchainos wallet contract-call to sign and broadcast transactions via the onchainos CLI.
3. Wallet resolution: Binary calls onchainos wallet addresses to resolve the user's wallet address.

Dependencies:

• onchainos CLI (for wallet operations and transaction signing/broadcasting)
• https://base-rpc.publicnode.com (public Base RPC endpoint for read-only eth_call)
• Aerodrome Finance smart contracts on Base (Router, PoolFactory, Voter)
• Standard Rust crates: clap, tokio, reqwest, serde, serde_json, anyhow, hex

3. Auto-Detected Permissions

onchainos Commands Used

Command Found	Exists in onchainos CLI	Risk Level	Context
onchainos wallet addresses	✅ Yes	Low	Resolving user's wallet address for Base chain
onchainos wallet contract-call	✅ Yes	High	All write operations: swap, approve, add/remove liquidity, claim rewards
onchainos --version	✅ Yes	Low	Pre-flight version check
onchainos wallet login	✅ Yes	Medium	Referenced in pre-flight install section (via npx skills)

Wallet Operations

Operation	Detected?	Where	Risk
Read balance	Yes	positions command via RPC balanceOf calls	Low
Send transaction	Yes	All write commands via onchainos wallet contract-call	High
Sign message	No
Contract call	Yes	swap, approve, add-liquidity, remove-liquidity, claim-rewards	High

External APIs / URLs

URL / Domain	Purpose	Risk
https://base-rpc.publicnode.com	Base chain JSON-RPC for eth_call (read-only)	Low
https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh	onchainos installer download (pre-flight)	Medium
https://github.com/MigOKG/plugin-store/releases/download/plugins/aerodrome-amm@0.1.0/...	Binary download	Medium
https://plugin-store-dun.vercel.app/install	Install telemetry reporting	Low
https://www.okx.com/priapi/v1/wallet/plugins/download/report	OKX install telemetry reporting	Low

Chains Operated On

• Base (chain ID 8453) — exclusively

Overall Permission Summary

This plugin reads on-chain data (pool reserves, balances, allowances) via direct JSON-RPC calls to a public Base RPC node. For all write operations (token approvals, swaps, liquidity management, reward claims), it delegates to onchainos wallet contract-call, which handles signing through the TEE-protected agentic wallet. The plugin constructs raw ABI-encoded calldata and passes it to onchainos. It has full capability to execute arbitrary contract calls on Base via the onchainos wallet. Token approvals are set to u128::MAX (unlimited), which is a common but risky pattern. The --force flag is conditionally applied based on user confirmation flow.

4. onchainos API Compliance

Does this plugin use onchainos CLI for all on-chain write operations?

Yes — All blockchain write operations (token approvals, swaps, liquidity add/remove, reward claims) are executed through onchainos wallet contract-call. The binary constructs calldata locally but delegates signing and broadcasting to onchainos.

On-Chain Write Operations (MUST use onchainos)

Operation	Uses onchainos?	Self-implements?	Detail
Wallet signing	✅	No	Via onchainos wallet contract-call
Transaction broadcasting	✅	No	Via onchainos wallet contract-call
DEX swap execution	✅	No	Calldata built locally, broadcast via onchainos
Token approval	✅	No	ERC-20 approve calldata via onchainos
Contract calls	✅	No	All contract interactions via onchainos
Token transfers	N/A	No	Not applicable (no direct transfers)

Data Queries (allowed to use external sources)

Data Source	API/Service Used	Purpose
Base blockchain state	https://base-rpc.publicnode.com (JSON-RPC eth_call)	Pool reserves, token balances, allowances, pool addresses, gauge earned amounts

External APIs / Libraries Detected

• reqwest library for HTTP requests to Base RPC endpoint
• Direct JSON-RPC eth_call to https://base-rpc.publicnode.com
• No web3/ethers.js libraries — manual ABI encoding in Rust
• std::process::Command to shell out to onchainos CLI binary

Verdict: ✅ Fully Compliant

All on-chain write operations use onchainos wallet contract-call. Read-only blockchain queries use direct RPC calls, which is permitted. No self-implemented signing, key management, or transaction broadcasting.

5. Security Assessment

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

Rule ID	Severity	Title	Matched?	Detail
C01	CRITICAL	curl | sh remote execution	⚠️ Matched	SKILL.md pre-flight: curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh. Located in SKILL.md (not a separate README), so this is in the Agent execution path. However, this is the standard onchainos installer pattern used across all official plugins. Phase 3.5: In SKILL.md → maintains CRITICAL.
M01	MEDIUM	Supply chain unpinned	✅ Matched	npx skills add okx/onchainos-skills --yes --global and npx skills add MigOKG/plugin-store --skill plugin-store --yes --global — no version pinning
M02	MEDIUM	Unverifiable dep	✅ Matched	npx skills add commands without version locks
M07	MEDIUM	Missing untrusted data boundary	✅ Matched	SKILL.md has a security notice about untrusted data, but it's generic. The binary processes on-chain data (token names, amounts, addresses from RPC responses) without explicit boundary markers in SKILL.md command descriptions
M08	MEDIUM	External data field passthrough	✅ Matched	CLI output includes raw on-chain data (pool addresses, reserves, token addresses) that flows directly into agent context without field-level isolation
H05	INFO	Direct financial operations	✅ Matched	Plugin performs swaps, approvals, liquidity operations — financial operations are its core purpose
H09	HIGH	signed-tx CLI param	Not matched	Plugin does not use --signed-tx parameter
L02	LOW	Undeclared network	Not matched	RPC URL is declared in plugin.yaml api_calls and in source code

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Judge	Severity	Detected	Confidence	Evidence
L-PINJ	CRITICAL	Not detected	0.95	No hidden instructions, no pseudo-system tags, no encoded payloads. SKILL.md is straightforward DeFi plugin documentation.
L-MALI	CRITICAL	Not detected	0.90	Code behavior matches described functionality. Swap, liquidity, and reward operations are clearly documented. No hidden data exfiltration or unauthorized operations. The install reporting script collects a device fingerprint hash but this is disclosed and non-sensitive.
L-MEMA	HIGH	Not detected	0.95	No attempts to write to MEMORY.md, SOUL.md, or other persistent memory files.
L-IINJ	MEDIUM	Detected	0.80	Plugin makes direct RPC calls and processes on-chain data. SKILL.md has a generic untrusted data notice but lacks per-command field-level isolation. On-chain token names/symbols flow into agent context.
L-AEXE	INFO	Detected	0.75	Write operations use --confirm flag pattern for user confirmation. However, the wallet_contract_call_with_value function always passes --force without confirmation gating. The swap and liquidity commands print "Please confirm... (Proceeding automatically in non-interactive mode)" which suggests auto-execution.
L-FINA	INFO	Detected	0.85	Plugin has financial operations (swap, approve, add/remove liquidity, claim rewards) with confirmation mechanisms (--confirm flag, --dry-run flag). Token approvals use u128::MAX (unlimited). The --force flag on onchainos wallet contract-call bypasses backend confirmation prompts.

Toxic Flow Detection (TF001-TF006)

TF005 — curl|sh + financial access:

• command-injection (C01) ✅ triggered — curl | sh in SKILL.md
• direct-financial (H05) ✅ triggered — swap/approve/liquidity operations
• TF005 conditions met → CRITICAL → FAIL

However, important context: The curl | sh pattern is the standard onchainos installer used across ALL official OKX plugins (okx-dex-swap, okx-agentic-wallet, etc.) and is auto-injected by the Plugin Store CI. The install URL points to the official OKX GitHub repository (okx/onchainos-skills). This is a known accepted pattern in the ecosystem, though it remains a supply chain risk.

TF006 — External data no boundary + financial operations:

• missing-untrusted-data-boundary (M07) — partially triggered (generic notice exists but not per-command)
• direct-financial (H05) ✅ triggered
• TF006 conditions partially met → HIGH → WARN

Prompt Injection Scan

No instruction override, identity manipulation, hidden behavior, confirmation bypass, unauthorized operations, or hidden content (base64, invisible chars) detected in SKILL.md or source code.

Result: ✅ Clean

Dangerous Operations Check

The plugin involves:

• Token approvals (unlimited u128::MAX amounts)
• Swap execution
• Liquidity add/remove
• Reward claims

Confirmation steps:

• --confirm flag required for write operations (preview mode without it)
• --dry-run flag for testing without broadcasting
• Print statements ask user to confirm before proceeding
• However, wallet_contract_call_with_value always passes --force

Result: ⚠️ Review Needed — unlimited approvals and auto-force on payable calls

Data Exfiltration Risk

The install reporting script in SKILL.md sends:

1. Plugin name/version to plugin-store-dun.vercel.app/install
2. Plugin name + HMAC-signed device ID to www.okx.com/priapi/v1/wallet/plugins/download/report

The device ID is a SHA256 hash of hostname:uname -s:uname -m:$HOME — pseudonymous but could be fingerprinting. This is a telemetry pattern, not credential exfiltration, and is disclosed in the SKILL.md.

Result: ⚠️ Potential Risk — telemetry/device fingerprinting via install reporting, though non-credential data

Overall Security Rating: 🟡 Medium Risk

The TF005 toxic flow (curl|sh + financial) technically triggers CRITICAL, but the curl|sh pattern is the standard onchainos installer from the official OKX repository, used identically across all official plugins. The real risks are: unlimited token approvals, the --force flag on wallet_contract_call_with_value, and the lack of field-level data isolation for on-chain content.

6. Source Code Security (if source code is included)

Language & Build Config

• Language: Rust (edition 2021)
• Entry point: src/main.rs
• Binary name: aerodrome-amm

Dependency Analysis

Dependency	Version	Assessment
clap	4	✅ Well-maintained CLI framework
tokio	1	✅ Standard async runtime
reqwest	0.12 (rustls-tls)	✅ Well-maintained HTTP client, uses rustls (no OpenSSL)
serde / serde_json	1	✅ Standard serialization
anyhow	1	✅ Error handling
hex	0.4	✅ Hex encoding utility

No suspicious, unmaintained, or vulnerable dependencies detected. All are standard Rust ecosystem crates.

Code Safety Audit

Check	Result	Detail
Hardcoded secrets (API keys, private keys, mnemonics)	✅ Clean	No secrets found. Contract addresses are public on-chain constants.
Network requests to undeclared endpoints	✅ Clean	Only https://base-rpc.publicnode.com (declared in plugin.yaml) and onchainos CLI commands
File system access outside plugin scope	✅ Clean	No file system access in source code
Dynamic code execution (eval, exec, shell commands)	⚠️ Review	Uses std::process::Command to shell out to onchainos CLI. Input data is constructed programmatically, not from raw user input directly, but token addresses from user args flow into CLI arguments.
Environment variable access beyond declared env	✅ Clean	No environment variable access in source code
Build scripts with side effects (build.rs, postinstall)	✅ Clean	No build.rs or post-build scripts
Unsafe code blocks (Rust)	✅ Clean	No unsafe blocks in any source file

Does SKILL.md accurately describe what the source code does?

Yes — The SKILL.md accurately describes the 7 commands (quote, swap, pools, positions, add-liquidity, remove-liquidity, claim-rewards), their parameters, and their behavior. The architecture description (read-only via RPC, write via onchainos) matches the code. Contract addresses match. The flow descriptions (approve → swap, approve → add liquidity, etc.) are accurate.

Minor discrepancy: SKILL.md says "Write operations require --confirm" but the code uses both --confirm (for the binary's own gating) and --force (passed to onchainos). The --confirm flag in the binary gates whether --force is passed to onchainos.

Verdict: ✅ Source Safe

7. Code Review

Quality Score: 72/100

Dimension	Score	Notes
Completeness (pre-flight, commands, error handling)	18/25	Good command coverage. Pre-flight checks present but use unpinned curl | sh. Error handling is basic but functional. Missing: no input sanitization on token addresses before passing to CLI args.
Clarity (descriptions, no ambiguity)	20/25	SKILL.md is well-organized with clear command descriptions, parameter tables, and flow explanations. Minor ambiguity around --confirm vs --force semantics.
Security Awareness (confirmations, slippage, limits)	14/25	Has --confirm/--dry-run flags. Has slippage control. Has untrusted data notice. However: unlimited token approvals (u128::MAX), wallet_contract_call_with_value always passes --force, no amount caps, no explicit user confirmation prompt (just println).
Skill Routing (defers correctly, no overreach)	12/15	Correctly defers to onchainos for all write operations. Correctly uses direct RPC for reads. Skill routing section in SKILL.md is appropriate. Minor: could defer price lookups to okx-dex-market instead of raw RPC.
Formatting (markdown, tables, code blocks)	8/10	Well-formatted SKILL.md with tables, code blocks, and clear sections. JSON output examples included.

Strengths

• Clean architecture: Clear separation between read (RPC) and write (onchainos) operations
• Comprehensive command set: Covers the full Aerodrome AMM lifecycle (quote → swap → liquidity → rewards)
• Well-documented: SKILL.md provides clear command descriptions, parameter tables, supported tokens, contract addresses, error handling, and security notices

Issues Found

• 🔴 Critical: TF005 — curl | sh in SKILL.md with financial operations. The pre-flight section uses curl -fsSL ... | sh to install onchainos. While this is the standard pattern across official OKX plugins, it creates a supply chain risk especially combined with financial operations. Should pin to a specific version tag with checksum verification (as done in okx-security and okx-onchain-gateway pre-flight sections).

• 🟡 Important: Unlimited token approvals (u128::MAX). All approve calls in swap.rs, add_liquidity.rs, and remove_liquidity.rs approve u128::MAX to the Router. This is a common DeFi pattern but creates risk if the Router contract is compromised. Should offer a limited approval option or at least warn users.

• 🟡 Important: wallet_contract_call_with_value always passes --force (src/onchainos.rs line 90). This bypasses onchainos backend confirmation prompts for payable contract calls without user consent. Though this function is currently #[allow(dead_code)] (unused), it's concerning if activated in the future.

• 🟡 Important: No checksum verification for binary download. The SKILL.md downloads the binary from GitHub releases without any SHA256 verification, unlike the official onchainos plugins which verify checksums.

• 🟡 Important: Install telemetry with device fingerprinting. The "Report install" section computes a device ID from hostname:uname:arch:$HOME and sends it to two endpoints. While pseudonymous, this should be more transparently disclosed and made opt-out.

• 🔵 Minor: Unpinned npx skills add commands — should pin to specific versions.

• 🔵 Minor: No input validation on token addresses — user-supplied hex addresses are passed directly to RPC calls and CLI args without format validation (length, hex character check).

• 🔵 Minor: Confirmation messages are println only — "Please confirm... (Proceeding automatically in non-interactive mode)" doesn't actually wait for user input; it's informational only for the AI agent.

8. Recommendations

1. Replace curl | sh with checksummed install — Use the same pattern as official OKX plugins (okx-security, okx-onchain-gateway) that download the installer, verify its SHA256 against a checksums file, then execute. Pin to a specific version tag.

2. Add checksum verification for binary download — Download a checksums file alongside the binary and verify SHA256 before making it executable.

3. Offer limited token approvals — Add a --max-approve flag or default to approving only the required amount rather than u128::MAX. At minimum, add a prominent SKILL.md warning about unlimited approvals.

4. Fix wallet_contract_call_with_value to respect force flag — Even though currently unused, this function should accept a force parameter like wallet_contract_call does, not hardcode --force.

5. Add input validation for token addresses — Validate that hex addresses are 42 characters, start with 0x, and contain only hex digits before passing to RPC calls or onchainos CLI.

6. Pin npx skills add to specific versions — Use npx skills@x.y.z add okx/onchainos-skills@vX.Y.Z.

7. Make install telemetry opt-in or more transparent — Add a comment explaining what data is collected and why, or make it opt-in.

8. Add field-level data isolation for on-chain content — Enumerate specific safe fields to display from RPC responses rather than passing raw JSON to the agent context.

9. Reviewer Summary

One-line verdict: Well-architected DeFi plugin that correctly uses onchainos for all write operations, but has supply chain risks from unpinned/unverified installations and uses unlimited token approvals without adequate warnings.

Merge recommendation: 🔍 Needs changes before merge

Changes required:

1. Replace curl | sh with checksummed installer pattern (or pin to specific tagged version with checksum verification) — addresses C01/TF005
2. Add SHA256 verification for binary download
3. Pin npx skills add commands to specific versions
4. Add warning about unlimited token approvals in SKILL.md security section
5. Fix wallet_contract_call_with_value to not hardcode --force

---

Generated by Claude AI via Anthropic API — review the full report before approving.

[github-actions]

Phase 4: Summary + Pre-flight for aerodrome-amm

Review below. AI Code Review is in a separate check.

---

Auto-injected Pre-flight

## Pre-flight Dependencies (auto-injected by Plugin Store CI)

> Run once per session before first use. These checks ensure required tools are installed.

### Install onchainos CLI + Skills (auto-injected)

```bash
# 1. Install onchainos CLI
onchainos --version 2>/dev/null || curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh

# 2. Install onchainos skills (enables AI agent to use onchainos commands)
npx skills add okx/onchainos-skills --yes --global

# 3. Install plugin-store skills (enables plugin discovery and management)
npx skills add MigOKG/plugin-store --skill plugin-store --yes --global

Install aerodrome-amm binary (auto-injected)

if ! command -v aerodrome-amm >/dev/null 2>&1; then
  OS=$(uname -s | tr A-Z a-z)
  ARCH=$(uname -m)
  case "${OS}_${ARCH}" in
    darwin_arm64)  TARGET="aarch64-apple-darwin" ;;
    darwin_x86_64) TARGET="x86_64-apple-darwin" ;;
    linux_x86_64)  TARGET="x86_64-unknown-linux-gnu" ;;
    linux_aarch64) TARGET="aarch64-unknown-linux-gnu" ;;
  esac
  curl -fsSL "https://github.com/MigOKG/plugin-store/releases/download/plugins/aerodrome-amm@0.1.0/aerodrome-amm-${TARGET}" -o ~/.local/bin/aerodrome-amm
  chmod +x ~/.local/bin/aerodrome-amm
fi

Report install (auto-injected, runs once)

REPORT_FLAG="$HOME/.plugin-store/reported/aerodrome-amm"
if [ ! -f "$REPORT_FLAG" ]; then
  mkdir -p "$HOME/.plugin-store/reported"
  # Device fingerprint → SHA256 → 32-char device ID
  DEV_RAW="$(hostname):$(uname -s):$(uname -m):$HOME"
  DEV_ID=$(echo -n "$DEV_RAW" | shasum -a 256 | head -c 32)
  # HMAC signature (obfuscated key, same as CLI binary)
  _K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d 2>/dev/null || echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | openssl base64 -d)
  HMAC_SIG=$(echo -n "${_K}${DEV_ID}" | shasum -a 256 | head -c 8)
  DIV_ID="${DEV_ID}${HMAC_SIG}"
  unset _K
  # Report to Vercel stats
  curl -s -X POST "https://plugin-store-dun.vercel.app/install" \
    -H "Content-Type: application/json" \
    -d '{"name":"aerodrome-amm","version":"0.1.0"}' >/dev/null 2>&1 || true
  # Report to OKX API (with HMAC-signed device token)
  curl -s -X POST "https://www.okx.com/priapi/v1/wallet/plugins/download/report" \
    -H "Content-Type: application/json" \
    -d '{"pluginName":"aerodrome-amm","divId":"'"$DIV_ID"'"}' >/dev/null 2>&1 || true
  touch "$REPORT_FLAG"
fi

---

</details>

---
*Generated by Plugin Store CI after maintainer approval.*

[github-actions]

🔨 Phase 2: Build Verification — ✅ PASSED

Plugin: aerodrome-amm | Language: rust
Source: @

Compiled from developer source code by our CI. Users install our build artifacts.

Build succeeded. Compiled artifact uploaded as workflow artifact.

---

Source integrity: commit SHA `` is the content fingerprint.