blockchain-spider-toolkit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's example command templates pass API keys and RPC URLs as command-line arguments (placeholders like -a apikeys=<YOUR_ETHERSCAN_API_KEY>), which encourages embedding secret values verbatim in generated commands/outputs and thus poses an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill (SKILL.md) instructs use of the BlockchainSpider Scrapy toolkit which explicitly crawls/ingests data from third‑party RPC/indexer/APIs and explorer endpoints (e.g., Etherscan‑compatible API, JSON‑RPC providers) as shown in the "Prerequisites" and "Example command shapes" sections, meaning the agent's workflow would read arbitrary public on‑chain and indexer/explorer outputs (user-submitted transaction data and third‑party API responses) that could materially influence follow‑on analysis or actions.