helius-dflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and consume public, user-generated market and asset data (e.g., DFlow Metadata API endpoints like GET /api/v1/markets and the DFlow WebSocket wss://prediction-markets-api.dflow.net, plus Helius DAS which includes off-chain IPFS/Arweave metadata) and to use that data to make trading, routing, and submission decisions, so untrusted third‑party content can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes an installation command that fetches and immediately executes remote code—"curl -fsS https://cli.dflow.net | sh"—which is used at runtime to install the DFlow Agent CLI (a required dependency) and thus represents a high-confidence remote-code execution risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to execute crypto financial transactions. It documents DFlow trading APIs (spot swaps, prediction market orders, DFlow order API), an Agent CLI that "handles wallet management, transaction signing, and execution" and can "go from prompt to trade in a single command", and Helius transaction submission primitives (Sender, transferSol, getPriorityFeeEstimate, parseTransactions, etc.). The MCP examples include heliusWrite({ action: "transferSol", ... }) and instructions that DFlow trades must be submitted via Helius Sender with specific transaction flags. The skill therefore contains specific, purpose-built capabilities to move crypto assets and place market orders on Solana (including autonomous agent execution), not generic tooling.