grimoire-hyperliquid

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill queries public Hyperliquid venue data (mids, l2-book, open-orders, meta/spot-meta) via the Grimoire CLI and can emit those third‑party market/metadata snapshots (including --format spell) which the agent reads, so it ingests untrusted public content from the Hyperliquid venue.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes a withdraw command for Hyperliquid with parameters to send funds: "--amount --keystore [--password-env ] [--destination ]". The notes state "withdraw is stateful and requires explicit user confirmation plus keystore credentials." This is a specific, built-in capability to move money/crypto (initiate withdrawals), not a generic tool. Other commands are read-only, but the presence of the withdraw operation with keystore and destination makes this direct financial execution.