injective-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs embedding passphrases and keystore contents verbatim in shell commands and files (e.g., yes "passphrase" | injectived tx ... and cat ~/.injectived/keystore_password.txt | injectived tx ...), which requires the LLM to handle/output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's bundled reference docs explicitly tell the user/agent to fetch the public llms.txt at https://docs.injective.network/llms.txt (see references/injectived-advanced.md and references/injectived-use.md) and the workflow directs connecting to public RPC endpoints (e.g., https://sentry.tm.injective.network:443), so the agent is expected to ingest open/public third-party content that could influence which commands or transactions it issues.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to build, sign, and broadcast blockchain transactions. It documents using the injectived CLI against Injective mainnet/testnet, references the tx and keys subcommands, describes piping/storing passphrases, using --yes to skip confirmations, setting gas/gas-prices, broadcasting (injectived q tx <tx_hash> to verify) and managing keystore files. Those are specific crypto/blockchain wallet and transaction operations (signing and sending on-chain), i.e., direct financial execution capability.