dfm-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent in "Step 1: Research" to use WebSearch/WebFetch and scrape public third‑party sources (CoinGecko, CoinMarketCap, DexScreener, Solana token lists, protocol sites, etc.) for token discovery, which the agent is expected to read and use to decide assets, allocations, and policies, enabling untrusted external content to influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations. It manages a Solana agent wallet (DFM_AGENT_KEYPAIR), builds unsigned transactions via platform APIs (e.g. /launch-dtf, /update-assets-tx, /deposit-tx, /redeem-tx, /dtf/:symbol/distribute-fees), signs those VersionedTransactions locally with the agent keypair using @solana/web3.js, and submits them to Solana RPC. It also implements end-to-end deposit and redeem flows (fan-out/fan-in swaps, ticket queueing, recording transactions), rebalance and fee-distribution endpoints, and keypair generation—all of which directly move funds or mint/redeem shares. Although non-custodial in wording, the agent has direct crypto/blockchain execution authority (wallet signing and submission), which meets the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion for Direct Financial Execution.