opensea

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill fetches user-generated content from the public OpenSea API and Stream endpoints (api.opensea.io and wss://stream.openseabeta.com) via the opensea CLI and provided scripts (e.g., opensea-get.sh, opensea-stream-collection.sh) — NFT names/descriptions, collection metadata and event payloads are untrusted, are returned to the agent as part of required workflows (SKILL.md and references/*), and can materially influence decisions such as which listings/offers to act on or which transactions to execute, creating a clear indirect prompt-injection exposure.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs agents to run the OpenSea CLI at runtime (e.g., "npx @opensea/cli" and install instructions referencing https://github.com/ProjectOpenSea/opensea-cli), which causes remote package code to be fetched and executed locally and the skill explicitly relies on that CLI as its primary runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides endpoints, CLI commands, scripts, SDK methods and MCP tools to perform on-chain financial actions: Seaport trades (buy/sell NFTs), token swaps (ERC20 swap quotes and calldata), fulfillment endpoints that return transaction data, and example code to sign/send transactions using a private key. It even documents wallet generation and use of PRIVATE_KEY/OPENSEA_MCP_TOKEN environment variables and shows how to execute swaps via viem/sendTransaction. These are concrete crypto transaction and wallet-signing capabilities (direct financial execution), not generic API or browser tooling.