dflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and act on live, public third‑party data — e.g., DFlow WebSockets (wss://prediction-markets-api.dflow.net) and DFlow Metadata/Trade APIs (pond.dflow.net) as well as Helius DAS (which includes off-chain Arweave/IPFS metadata) — and this data (market/event metadata and real-time feeds) is untrusted/user-provided and directly influences autonomous trading decisions, satisfying the criteria for indirect prompt injection risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Flagged https://cli.dflow.net because the skill's installation step explicitly runs "curl -fsS https://cli.dflow.net | sh", which fetches and immediately executes remote code at runtime and the DFlow Agent CLI installed from that URL is presented as a required dependency for agent/CLI workflows.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to execute cryptocurrency trades and submit signed transactions. It documents DFlow trading APIs for spot swaps and prediction-market trades, the DFlow Agent CLI that “handles wallet management, transaction signing, and execution — agents go from prompt to trade in a single command,” and Helius Sender for direct transaction submission/fee optimization. It instructs to “ALWAYS submit DFlow transactions via Helius Sender,” covers “swap tokens on Solana,” “execute trades,” “submit raw transactions,” and wallet/agent configuration for autonomous trading. These are specific crypto/blockchain transaction and wallet APIs intended to move funds, satisfying the Direct Financial Execution criteria.