dflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill makes runtime requests to public DFlow endpoints (e.g., https://api.prod.dflow.net and https://quote-api.dflow.net) — including fetching prediction-market events, orderbooks, trades and WebSocket streams (events API, trades API, orderbook endpoints and WS subscriptions) — which are public third‑party data sources that the agent ingests and interprets, so untrusted/user-generated content could provide indirect prompt injection vectors.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches runtime content from https://quote-api.dflow.net (e.g., /quote, /swap, /swap-instructions, /intent) which returns base64 transactions and instruction payloads that the agent deserializes, signs, and submits—so remote content directly controls executable on-chain instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading SDK for the Solana blockchain (DFlow). It exposes Swap and Trade APIs, order/quote/swap endpoints, and examples that construct, sign (with a Keypair/private key), and send transactions (connection.sendTransaction, submit-intent, POST /swap, GET /order, /order-status). It directly enables token swaps, market orders, prediction-market trades, fee collection and programmatic execution (including an agent kit that accepts a private key). This is a direct crypto/blockchain financial execution capability.