zap

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill performs runtime WebFetch calls to the Kyber ZaaS route endpoints (e.g., https://zap-api.kyberswap.com/{chain}/api/v1/in/route and related /out/route and /migrate/route) requesting "the full JSON response body exactly as received" and then requires pasting that exact route object verbatim into the subsequent build POST (which produces encoded calldata), so remote responses directly control the agent's transaction-building behavior and are a required runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for on-chain crypto financial operations. It uses KyberSwap ZaaS APIs to calculate routes and build encoded transaction calldata for zapping in, zapping out, and migrating concentrated liquidity positions across EVM chains. The skill requires a sender address, constructs POST build requests that produce encoded calldata, instructs on ERC-20/ERC-721 approvals (including specific spender/router addresses), and outputs transaction "to", "value", and "data" fields for signing/broadcast. These are specific crypto transaction-building and swap/liquidity-management functions (not generic HTTP or browser automation), so it grants direct financial execution capability.