uniswap-v3-swap

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill makes multiple RPC calls to public Base endpoints (e.g., cast call ... --rpc-url https://sepolia.base.org) to read on-chain, user-generated contract data (decimals(), factory.getPool, QuoterV2 quote, balances, allowances) and the agent is required to interpret those results to choose pools, compute amounts, and decide whether to execute transactions, so untrusted third‑party content can materially influence its actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading/execution tool. It guides the agent to discover pools, quote amounts, construct exact swap calldata, and execute on-chain transactions (using keypo-wallet send and keypo-wallet batch). It includes explicit transaction operations: approve(), deposit(), withdraw(), exactInputSingle/exactInput encoding, sending value (wrapping ETH), and using SwapRouter contract addresses. These are direct blockchain money-movement capabilities (wallet signing/sending of transfers/swaps), not generic tooling. Therefore it grants Direct Financial Execution authority.