across-protocol-ai-agent-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to call and consume data from public Across API endpoints (e.g., GET/POST /swap/approval, /suggested-fees, /swap/tokens as described in swap/SKILL.md, embedded-crosschain-actions/SKILL.md and bridge/SKILL.md) and to use response fields like approvalTxns, swapTx, and actions to construct and submit transactions, so third-party API responses can directly influence subsequent tool use and behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about crosschain token transfers and includes concrete APIs and transaction primitives for moving money. It references Swap API endpoints (GET /swap/approval and POST /swap/approval) that "return executable calldata to sign and submit," instructions for assembling depositV3 calls, integrator fee collection fields (appFee, appFeeRecipient), embedded destination actions (mint/stake/deposit in one tx), on-chain intent construction (ERC-7683 / SpokePool deposits), relayer operation/configuration, and mainnet/testnet endpoints. These are specific financial execution features (constructing/sending blockchain transactions and collecting fees), not generic tooling, so it grants direct financial execution capability.