deepbook-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill issues runtime reads/streams from external provider and RPC endpoints (e.g., commands like deepbook orderbook/trades/stream and configurable flags/commands --base-url, --stream-base-url, set-provider-base-url, set-provider-stream-base-url, set-rpc-url) so it ingests content from arbitrary third-party endpoints that the agent will read and interpret.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides on-chain crypto trading and wallet management commands: spot buy/sell/limit, swap (base-for-quote / quote-for-base), margin market/limit/close, deposit/withdraw to/from managers, manager withdraw, and balance-manager operations. It also supports private key import/flags (--private-key, config import-key) and live execution (not just dry-run). These are specific crypto/blockchain transaction capabilities (wallet signing, swaps, market orders, deposits/withdrawals) intended to move funds on-chain, so it grants direct financial execution authority.