messari-x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md explicitly directs the agent to fetch data from Messari's public API (e.g., https://api.messari.io/news/v1/news/feed and /signal/v1/x-users), which returns third‑party news and social/signal content that the agent is expected to read and that could materially influence its actions, creating a risk of indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain crypto payments as part of its core function. The documentation describes an automatic "402 payment flow" paid in USDC on Base, requires a wallet with USDC and ETH for gas, and shows CLI commands that specify a wallet and chain (mp x402 request --wallet main --chain base). It also references token operations (mp token swap, mp token balance list) and related wallet auth skills (moonpay-auth, moonpay-check-wallet). These are concrete crypto transaction/payment capabilities (sending USDC, performing swaps, and on-chain signing/gas), not generic HTTP or browser tooling. Therefore it grants direct financial execution authority.