aptos-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill invokes on-chain view functions (aptos_view) and explicitly "Query NFT/token collections" including property_map read_string/read_* view functions, which pull public, user-generated on-chain metadata (descriptions, URIs) that the agent will read and could contain malicious/indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to move crypto assets on the Aptos blockchain. It provides specific transaction-capable tools (aptos_transfer, aptos_swap, aptos_stake) and describes entry functions and multisig transaction APIs (e.g., 0x1::coin::transfer, multisig create/approve/execute). It also includes setup for a private key and wallet validation. Even though it notes "requires approval," the primary and explicit purpose is sending transactions, swapping tokens, staking, and interacting with multisig — all direct financial execution capabilities.