percolator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill instructs the agent to invoke and consume data from open, third‑party Solana programs and feeds—notably matcher CPIs (user-supplied matcher programs returning execution prices) and public oracle accounts such as Pyth and Chainlink (e.g., devnet Chainlink feed 99B2... and Pyth feed IDs)—which are untrusted/user-provided sources that the agent is expected to read and act on during trade execution.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a perpetual-futures protocol built on Solana with on-chain programs, CLI tooling, and matcher/keeper operations. It defines concrete financial actions and APIs: deposit/withdraw commands that move lamports, trade-cpi for executing trades, keeper-crank and keeper bots for liquidation/funding operations, and use of @solana/web3.js and Solana program addresses. These are specific crypto/blockchain financial operations (wallets, on-chain transactions, trading, and fund management), not generic tooling. Therefore it provides direct financial execution capability.