zest-borrow-asset-primitive

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches live protocol and oracle data from public third-party APIs (e.g., HIRO API calls like https://api.hiro.so/extended/v1/... and Pyth Hermes at https://hermes.pyth.network used in fetchJson/fetchPythPriceFeedBytes within collectContext and buildAndBroadcast), and those responses are parsed and directly used to decide readiness, build transaction arguments, and drive broadcasts, so external content can materially influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a blockchain financial write tool: it constructs and broadcasts on-chain borrow transactions on Stacks mainnet. It directly calls the Zest V2 borrow contract (SP1A27K...v0-4-market.borrow), requires a signer/wallet, enforces --confirm=BORROW before broadcasting, manages nonce/pending-tx checks, uses postconditions and SIP-010 asset names, and “can create debt.” This is a purpose-built crypto financial operation (borrowing assets), not a generic caller or browser automation, so it grants direct financial execution capability.