jupiter-lend

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md and examples explicitly show the agent querying public RPC endpoints (e.g., initializing Client with Connection("https://api.mainnet-beta.solana.com") and calling client.vault.positionsByUser / getVaultByVaultId) and then using that on-chain, user-controlled data to decide actions (create vs reuse position, amounts, build/send transactions), so it consumes untrusted third-party content that can materially influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes on-chain write operations for a lending protocol on Solana. It documents a write SDK (@jup-ag/lend) with functions that create and return transaction instructions for deposits, withdrawals, borrow, repay, vault operations (getDepositIxs, getWithdrawIxs, getOperateIx, getFlashloanIx), sentinel values for max repay/withdraw, and examples that build, sign (using a Keypair/private key), and send VersionedTransactions via connection.sendTransaction. These are concrete crypto financial actions (depositing collateral, borrowing debt, repaying, withdrawing, flashloans) — i.e., direct financial execution (crypto/blockchain wallet interactions and asset transfers).