goldrush-foundational-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit examples that embed an API key directly in code and curl headers (e.g., Authorization: Bearer YOUR_API_KEY and client constructor with "YOUR_API_KEY"), which requires the LLM to place secret values verbatim in generated commands or code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly instructs the agent to call the GoldRush Foundational API endpoints (e.g., getNftsForAddress, getLogEventsByAddress, getTokenBalancesForWalletAddress in references/endpoints-nft-security-crosschain.md and endpoints-transactions.md) which ingest public, user-generated on-chain data and NFT metadata (including input_data, decoded logs, metadata and logo_url fields) that the agent is expected to read and that can materially influence decisions like security checks or follow-up actions.