helius-phantom

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to call Helius APIs (e.g., DAS, Enhanced Transactions, Wallet API) and to ingest and interpret third-party content including off-chain NFT metadata (Arweave/IPFS) and even pre-serialized transactions from external APIs as part of normal workflows (see references/helius-das.md, references/helius-enhanced-transactions.md, and references/helius-sender.md), so untrusted user-generated content can influence decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires installing and running the Helius MCP package via the runtime command "claude mcp add helius npx helius-mcp@latest" (i.e., fetching/executing the remote npm package), which fetches and executes remote code and is required for the skill to function.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for blockchain financial operations. It documents Phantom wallet integration for signing transactions, Helius Sender and Sender endpoints for submitting transactions, and explicit flows for transferring SOL/SPL tokens, NFT minting, and accepting crypto payments. It names actions like submitting signed transactions, using priority fee estimates, building and sending versioned transactions, and verifying payments on-chain. These are specific crypto execution capabilities (wallet signing + transaction submission), not generic tooling — therefore it grants direct financial execution authority.