injective-trading-tokens

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's tool calls include a required "password" parameter for transfers and subaccount operations, which instructs the agent to accept and embed user keystore passwords verbatim in its tool requests/outputs, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill calls token_metadata which "resolves against the on-chain Injective token registry" (SKILL.md), a public blockchain registry of third-party/untrusted entries whose metadata (symbols, decimals, peggyDenom) the agent reads and uses to decide transfers and conversions, so malicious or spoofed registry entries could materially alter actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes blockchain token transfer and account-fund-management operations. It includes specific tools/APIs for transfer_send (sending tokens between addresses) and subaccount_deposit / subaccount_withdraw (moving tokens into/out of trading subaccounts). These are direct crypto transaction operations (requiring keystore/password) intended to move funds on the Injective network, so this is direct financial execution capability.