goat

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md shows a PriceFeedPlugin that fetches price data from the public CoinGecko API (https://api.coingecko.com/api/v3/...), which the agent is expected to read/interpret as tool output and that data can materially influence on-chain actions (trades/transfers), exposing it to untrusted third‑party content.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The GOAT skill is explicitly an onchain execution toolkit: it provides wallet providers (viem, solana, crossmint, Safe multisig, etc.), wallet client interfaces that include sendTransaction/sendTransaction-like methods, and many plugins that perform financial actions (sendETH, sendSOL, erc20 transfers, DEX swaps like uniswap/1inch/jupiter, cross-chain bridging, arbitrary smart-contract calls). The docs show configuring private keys/Crossmint API keys, invoking getOnChainTools with plugins, and example prompts that instruct the agent to "Send 5 USDC..." or "Swap 1 SOL for USDC on Jupiter." It also exposes an MCP server and adapters so agents can remotely invoke these tools. These are specific, purpose-built crypto/financial APIs that move funds and sign transactions, so this is Direct Financial Execution by design.