token-authority-and-risk

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly mentions storing and even including "seeds" (and bump) in disclosures and instructs documenting authorities (which could include private seeds/keys), so it may require the LLM to output secret seed values verbatim, which is insecure.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to "Inventory authorities using spl-token account-info and explorer," which requires fetching and interpreting public blockchain/explorer data (arbitrary on-chain transactions/metadata) from third-party sources.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly targets blockchain token management (SPL tokens) and includes concrete, actionable on-chain operations: inventorying authorities via spl-token/account-info, deciding to "revoke, rotate to multisig/PDA," and an explicit workflow step "Execute changes: spl-token authorize ... for mint/freeze; ensure payer funds." It also instructs citing txids, executing revocations on-chain, rotating authorities, and monitoring large mints/burns — all specific crypto transaction and authority-management actions (wallet signing/transactions). Under the policy list (Crypto/Blockchain: Wallets, Swaps, Signing), this is a specific tool designed to perform on-chain financial operations rather than a generic interface, so it grants Direct Financial Execution Authority.