phantom

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow (SKILL.md + references such as references/helius-das.md, references/helius-enhanced-transactions.md, references/helius-websockets.md, and references/helius-sender.md) explicitly instructs the agent to call public Helius endpoints and MCP tools that ingest and parse open/public, user-controlled off-chain metadata (Arweave/IPFS), transaction data, and third‑party serialized transactions—content the agent will read/interpret and that can materially change subsequent actions (e.g., parsing instructions, modifying/forwarding txs), so it clearly exposes the agent to untrusted third‑party content capable of indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs installing and running remote code at runtime via the command "claude mcp add helius npx helius-mcp@latest", which uses npx to fetch and execute a remote npm package that the skill relies on (Helius MCP) — this is a runtime fetch that executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built to perform blockchain financial operations. It instructs connecting wallets (Phantom Connect), signing transactions in the browser/mobile, and submitting signed transactions via Helius Sender. Specific capabilities called out include transferring SOL/SPL tokens, NFT minting (creating/minting assets), accepting crypto payments (checkout flow + backend verification), and using Helius Sender and priority fee APIs to submit transactions. These are direct crypto transaction execution primitives (wallet signing + submit), which fall under "Crypto/Blockchain (Wallets, Swaps, Signing)" in the core rule.