swig-smart-wallet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly tells the agent to ask the user for Paymaster API keys and other secret values and to store them (e.g., in a .env), which requires the LLM to accept and could lead to outputting those secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly asks for a Solana RPC endpoint (e.g., public mainnet/devnet or custom RPC like Helius/Triton) and instructs the agent to call/fetch on-chain state via fetchSwig/refetch and to interact with external endpoints (user-provided sponsorUrl and the Swig Paymaster API/dashboard.onswig.com), so it ingests untrusted public blockchain/RPC and arbitrary URL responses that directly influence decisions and transactions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The README includes explicit runtime install commands that fetch remote skill instructions (e.g., curl "https://raw.githubusercontent.com/anagrambuild/swig-ts/main/skills/swig-smart-wallet/SKILL.md" and the npx installer URL https://github.com/anagrambuild/swig-ts/tree/main/skills/swig-smart-wallet), which would download external Markdown that an agent would load as its skill/instructions and thus directly control prompts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to create and manage on-chain Solana smart wallets and to execute signed transactions that move SOL/tokens. It includes concrete APIs and flows for: generating keypairs, wrapping and sending transfer instructions (SystemProgram.transfer), using paymaster clients (createPaymasterClient, signAndSend / fullySign), sponsoring transactions via a gas server (API endpoints), and verifying balances. These are specific crypto/blockchain wallet and transaction-execution capabilities (not generic). Therefore it grants direct financial execution authority.