bags

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill calls the public Bags API (https://public-api-v2.bags.fm/api/v1/) to fetch user/token metadata and Base58-encoded transactions (e.g., /token-launch/claim-txs/v3, /token-launch/create-launch-transaction, /token-launch/fee-share/create-config) and then signs and submits those returned transactions, meaning untrusted third-party content can directly influence actions the agent takes.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls the Bags API at https://public-api-v2.bags.fm/api/v1/ at runtime to fetch Base58-encoded transaction payloads (e.g., /trade/swap, /token-launch/claim-txs/v3, fee config/partner transactions) which are deserialized, signed, and submitted—i.e., remote data directly controls executable transactions—so this external URL is a high-risk runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides blockchain financial operations: it supports executing swaps ("/bags swap ... Execute swap"), launching tokens ("/bags launch ..."), claiming and distributing fees ("/bags claim", "/bags fee-config", partner-claim), and includes configuration for a SOLANA_PRIVATE_KEY for signing swaps/launches. It references an API base URL and auth key for programmatic access. These are specific crypto/blockchain transaction functions (wallet signing, swaps, fee claims, token launches) — i.e., direct financial execution capabilities.