swap-build

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and ingest JSON from public third‑party APIs (e.g., the Step 4 GET to https://aggregator-api.kyberswap.com and the token fallback to https://token-api.kyberswap.com and CoinGecko) and requires using the returned routeSummary/token data verbatim to build POST requests and decision logic, so external responses can directly influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs runtime fetches (WebFetch and a bash curl) to endpoints such as https://aggregator-api.kyberswap.com/{chain}/api/v1/routes and requires injecting the exact returned routeSummary JSON verbatim into the subsequent POST to https://aggregator-api.kyberswap.com/{chain}/api/v1/route/build, so the remote content is fetched at runtime, directly determines the agent's build instructions, and is a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly designed for crypto financial operations: it fetches swap routes from KyberSwap, builds encoded swap calldata, and issues a POST to the KyberSwap /route/build API (via curl) including sender, recipient, slippage, deadline, and optional ERC-2612 permit. It constructs the on-chain transaction "data" and "value" fields (ready for submission) and handles token approval logic. These are specific crypto swap/build capabilities (not generic browsing or HTTP). Therefore it provides direct financial execution capability for blockchain token swaps.