walletconnect-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill directly loads and scrapes a public dApp page (register-basename.js navigates to https://www.base.org/names and calls page.content()/clipboard/QR extraction) and wc-connect.js pairs with arbitrary dApps via WalletConnect (reading proposer metadata and session_request payloads) and then interprets those untrusted, user-controlled page/session contents to decide and perform signing/sending actions, so third-party content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script navigates to and interacts with the external dApp at https://www.base.org/names at runtime to obtain a WalletConnect URI and then pairs to that dApp which can send signing requests that the agent (by default auto-approves) will execute, so this URL is a runtime dependency that controls actions the agent performs.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a WalletConnect agent built to connect an AI to Web3 dApps and "auto-sign transactions." It lists direct crypto operations (swap on Uniswap, mint NFTs, vote in DAOs, register domains), supports eth_sendTransaction, multi-chain RPCs, and an environment-provided PRIVATE_KEY. It includes an Auto-Approve mode that automatically signs/approves requests and an --allow-eth-sign flag to enable raw signing. These are specific, purpose-built capabilities to execute cryptocurrency transactions and move funds/tokens autonomously, not generic tooling.