injective-mcp-servers

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly tells the agent to connect to the public Injective documentation MCP at https://docs.injective.network/mcp and to use SearchInjectiveDocs (and links to a public GitHub README), so the agent will ingest open third‑party documentation which can materially influence subsequent MCP tool calls such as trade_open and transfer_send.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs agents to connect at runtime to the hosted MCP endpoint https://docs.injective.network/mcp (and also provides steps to git clone and run https://github.com/InjectiveLabs/mcp-server), which expose tool definitions and/or execute remote code that the LLM will call—i.e., external content directly controls agent behavior and can run code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes tools to perform financial operations on Injective: opening/closing market orders (trade_open, trade_close, trade_limit_open, trade_limit_close), sending tokens and deposits/withdrawals (transfer_send, subaccount_deposit, subaccount_withdraw), bridging/bridge sends (bridge_withdraw_to_eth, bridge_debridge_send), broadcasting raw EVM transactions (evm_broadcast), and wallet operations including import (wallet_import) and generate (wallet_generate) with signing (Cosmos and EIP‑712/MetaMask-compatible). These are specific, money-moving APIs (trade execution, token transfers, bridging, transaction signing/broadcasting), not generic tooling, so this grants direct financial execution capability.