air-agentic-wallet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly calls and ingests responses from external, potentially arbitrary URLs as part of its required workflow—notably airApiAgentSignUrl (AIR), the bundlerUrl, rpcUrl (eth_call / eth_getBalance / getNonce), and optional paymasterUrl—using those JSON RPC responses (nonce, gas estimates, paymaster fields, and AIR signatures) to drive signing, gas estimation, and submission, so untrusted third-party content can materially influence the agent's actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to control crypto wallets and perform on-chain financial actions. It provides scripts and precise HTTP/API workflows to sign messages and Privy payloads, send native and ERC-20 tokens, approve ERC-20/ERC-721/ERC-1155 spend, transfer NFTs, build and submit ERC-4337 UserOps, compute and sign userOpHash, discover bundlers, and execute arbitrary contract calls. These are direct crypto/blockchain transaction and wallet-management capabilities (moving assets and authorizing transfers), so it grants Direct Financial Execution Authority.