bitget-wallet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and re-install code from public GitHub (e.g., "Fetch the latest CHANGELOG.md from https://raw.githubusercontent.com/bitget-wallet-ai-lab/bitget-wallet-skill/main/CHANGELOG.md" and to re-install the repository if an update is found), which means untrusted public content is read and can drive upgrades that materially change tool behaviour.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches the runtime CHANGELOG from https://raw.githubusercontent.com/bitget-wallet-ai-lab/bitget-wallet-skill/main/CHANGELOG.md to decide whether to prompt an upgrade and, upon user confirmation, directs reinstalling from https://github.com/bitget-wallet-ai-lab/bitget-wallet-skill which would replace local skill files with remote code and thereby allow external content to directly control agent prompts/behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides crypto financial execution capabilities. It includes wallet creation and mnemonic/key management, private-key signing flows, and endpoints/scripts to create, sign, and broadcast swaps and orders (e.g., swap-calldata, swap-send, order-create, order-submit). It also contains an x402 payments client with functions to sign and pay (EIP-3009, Solana partial-sign, full HTTP 402 pay). These are specific, purpose-built tools to sign/send on-chain transactions and perform payments—i.e., move funds.