xxyy-trade

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill directly calls the external XXYY public APIs (e.g., POST /api/trade/open/api/feed/... in mcp/src/tools/feed.ts and GET /api/trade/open/api/query in mcp/src/tools/query.ts) to ingest token lists and token metadata (including social links, security flags, and tax info) and then uses those fields to generate warnings, prompts, and follow-up trade actions, so untrusted third‑party content can materially influence agent decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides on-chain trading endpoints (Buy Token / Sell Token) with example POST requests to /api/trade/open/api/swap, parameter tables for executing buys/sells (chain, walletAddress, tokenAddress, isBuy, amount, tip, slippage, etc.), and curl examples to perform trades. The documentation also states "API Key = Wallet access" and that XXYY is custodial and will execute trades on the user's behalf. The skill's primary and explicit purpose is to move funds via crypto trades, so it grants direct financial execution capability.