near-intents-trading

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs running a public install script (curl ... raw.githubusercontent.com) and mandates running/reading the output of third‑party tools/commands (portfolio balances, near-intents llm onboard, and using Flipside/Ankr APIs) whose public/untrusted responses (onboard text, balances, and intel) are read and used to drive quoting, swap commands, and decision-making.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill requires installing runtime CLI tools via a shell pipeline that fetches and executes remote code from https://raw.githubusercontent.com/FlipsideCrypto/near-intents-cli/main/install.sh (curl ... | sh), which runs remote code and is a required dependency for the skill.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed for crypto trading and transaction execution. It documents two dedicated CLI tools (near-intents and portfolio) whose primary purposes include quoting swaps, executing swaps, submitting transactions, polling transaction status, and managing deposit/withdraw flows across chains. It lists concrete executable commands and flags (e.g., near-intents swap --from --to --amount --recipient --refund-to, submit-tx --deposit-address --tx-hash, status, quote) and instructs an execution loop culminating in "EXECUTE → near-intents swap + submit-tx". It also requires collecting API keys and describes native signing/withdrawal flows (near-cli, ft_withdraw) and cross-chain signing URLs. These are specific crypto financial execution capabilities (wallets, swaps, signing, submitting transactions), not generic tooling, so it grants Direct Financial Execution Authority.