walletchan

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells the user to "share" the Agent Password with the agent and instructs the agent to enter that password to unlock the wallet (i.e., the LLM must accept and inject the secret into browser automation), which requires handling the secret verbatim and creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Core Workflow (SKILL.md steps 1–6) instructs the agent to navigate arbitrary third‑party dapp URLs (e.g., app.uniswap.org, app.aave.com) via Chrome CDP, read and interact with those public pages and the resulting transaction requests, and then interpret/confirm decoded calldata in the WalletChan extension—clearly ingesting untrusted web content that can materially influence signing/transaction decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to operate a browser wallet extension (WalletChan) to connect wallets, swap tokens, supply/deposit to DeFi protocols, sign messages, and perform blockchain transactions. The core workflow instructs the agent to trigger transactions in dapps, switch to the extension tab, unlock the wallet with an Agent Password, review decoded/raw calldata, and confirm or reject transactions. This is a purpose-built crypto/wallet execution tool (wallet control, token swaps, signing, broadcasting TXs), so it grants direct financial execution capability.