injective-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit examples that embed passphrases and raw private keys into CLI commands (e.g., yes "passphrase" | ... and unsafe-import-eth-key <hex_private_key> / cat ~/.injectived/keystore_password.txt), which would require an agent to include secret values verbatim if followed.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md workflow explicitly instructs the agent to query public Injective nodes and endpoints (e.g., the listed mainnet/testnet endpoints like https://sentry.tm.injective.network:443) and to run commands such as injectived q tx and wasm smart queries that ingest on-chain and contract query results (public, user-generated/untrusted data) which the agent is expected to read and which can affect subsequent transaction or CLI decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs using "npm i -g injective-core@latest" or "npx injective-core", which at runtime fetches and executes remote package code from the npm registry (https://registry.npmjs.org), so it is a required external dependency that executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to interact with the Injective blockchain and to create, sign, and broadcast transactions. It describes using the injectived tx commands (e.g., injectived tx bank send <from> <to> <amount>), ledger signing flags, private-key import/export commands (unsafe-export-eth-key, unsafe-import-eth-key), use of keyrings and passphrase piping, and broadcasting/verification of tx hashes. These are specific crypto/blockchain transaction and signing capabilities (i.e., direct mechanisms to move value), not generic tooling. Therefore it grants direct financial execution authority.