polyhub_copy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the user to "Send me the generated key" (an API secret) and contains examples that would embed that key into curl/bash commands if provided, which requires the LLM to accept and potentially include secret values verbatim — a direct exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). SKILL.md instructs the agent to fetch user-generated copy signals via GET /api/v1/copy-signals and the SSE stream GET /api/v1/copy-signals/stream from the Polyhub API, and those externally authored signals are consumed by the agent and can directly influence trading actions (creating/updating tasks, sells), which could enable indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for copy-trading and includes concrete API calls that perform trading actions. It requires an API key and documents endpoints and payloads for creating/updating copy-trading tasks, placing orders (POST /api/v1/copy-tasks/{taskId}/sell and POST /sell-all), and managing TPSL rules that control take-profit/stop-loss behavior. It also notes "COPIED: the copy order was placed successfully" and includes pre-flight balance checks and direct POST calls that will execute sells or create copy orders. These are specific financial execution operations (placing/selling orders and managing trade-related rules), not generic tooling, so it grants direct financial execution authority.