relay-diagnostic

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill fetches live, public relay and blockchain data (e.g., fetch to ${relayUrl}/health and ${baseUrl}/extended/v1/address/${address}/nonces and the Hiro API mempool via getHiroApi().getMempoolTransactions in relay-diagnostic.ts), which are third‑party/public and include user-submitted transactions that the agent reads and uses to decide recovery actions, so untrusted external content can materially influence tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes a "recover" command that requires an unlocked wallet (to source the sponsor API key) and performs blockchain transaction operations: RBF (replace-by-fee), gap-fill, or both to recover stuck sponsored transactions. It names a sponsor address, targets mainnet, and modifies nonce/transaction state — i.e., it will send or modify on-chain transactions. This matches "Crypto/Blockchain (Wallets, Swaps, Signing)" and is specifically designed to move/operate on funds/transactions, so it grants direct financial execution capability.