opentrade-cex

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Cross-Skill Workflow C explicitly instructs the agent to call [opennews] ("Search crypto news") and [opentwitter] ("Check KOL sentiment") — i.e., ingest public news and social media content — and then use those signals to decide and execute CEX trades, so untrusted third‑party content can materially influence tool actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for centralized exchange trading and includes multiple write endpoints that execute financial actions server-side. It defines POST /orders (place market/limit/stop orders), PUT /orders/edit, DELETE /orders/:orderId (cancel), POST /positions/close (close positions), PUT /leverage/current (set leverage), and workflows that show automated order placement and position management. It also accepts exchange API credentials (config update) and manages wallet agents (create/authorize). Although protected by a risk engine, these are direct trading and money-moving operations on CEXes (placing market orders, changing leverage, closing positions), so the skill grants Direct Financial Execution Authority.