notional-v3

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill queries public third‑party endpoints (the Notional Exponent subgraph at https://api.studio.thegraph.com/query/60626/notional-exponent/version/latest and the public Ethereum RPC https://ethereum.publicnode.com) and directly ingests those untrusted on‑chain/subgraph responses (token names, balances, health factors) which the code uses at runtime (e.g., get_vaults, get_account_balances, get_health_factor, and get_collateral_balance) to display information and to make operational decisions like computing “all” shares for exits, so arbitrary third‑party data could influence tool actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to interact with a live DeFi protocol and perform on-chain write operations that move funds. It exposes commands to deposit into leveraged yield vaults (enter-position, including ERC-20 approve and enterPosition()), redeem/withdraw shares (exit-position), start unstaking/withdrawal flows (initiate-withdraw), and claim rewards (claim-rewards). Transactions are routed through an onchainos CLI and require broadcasting to Ethereum mainnet. This is a specific financial execution tool (blockchain wallet transactions / contract calls), not a generic interface, so it grants direct financial execution capability.