carbium

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill subscribes to public Solana transaction and log streams (e.g., wss://grpc.carbium.io and wss://wss-rpc.carbium.io in SKILL.md and the pump-snipe/grpc-stream examples), ingesting untrusted, user-generated on-chain logs and transactions and using them to drive decisions and submit transactions (e.g., detecting "Instruction: Create" to derive mints and build buy txs), which could allow indirect prompt-injection-like influences on agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes crypto financial execution capabilities. It documents Swap API endpoints for getting quotes and returning executable transactions, v1 swap and swap/bundle endpoints (including submitting signed transactions for Jito bundling), gasless swaps that pay fees on behalf of users, and RPC instructions to send/confirm transactions (sendRawTransaction, sendTransaction, skipPreflight, etc.). The examples show deserializing an executable txn, signing, and submitting it programmatically, plus dedicated endpoints/flags for execution (e.g., /api/v2/quote with user_account → txn, /api/v1/swap, /api/v1/swap/bundle, fee transfer endpoints). This is specifically designed to move crypto assets on-chain (wallet swaps, bundling, sniping flows), not just generic HTTP or browser tooling—so it grants direct financial execution authority.