drift

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill clearly fetches and consumes open third‑party data (e.g., calls to public RPC endpoints like https://api.mainnet-beta.solana.com, Jupiter quote API and URL https://quote-api.jup.ag/v6, and explicit fetch to the public DLOB server at https://dlob.drift.trade/l2), and the agent is expected to read/interpret that externally-sourced market/orderbook/oracle data as part of its trading workflow, creating a channel for indirect prompt injection from untrusted public sources.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated SDK for the Drift Protocol on Solana and explicitly provides APIs to execute on-chain financial actions: placing perpetual and spot market/limit/stop orders, placing multiple orders atomically, canceling/modifying orders, depositing and withdrawing USDC/SOL, transferring collateral and positions between sub-accounts, executing Jupiter swaps, settling PnL, and signing/submitting off-chain orders. It also shows initializing clients with secret keys/wallets and sending transactions. These are specific crypto/blockchain financial execution functions (wallet signing, swaps, deposits/withdrawals, market orders), not generic tooling, so it grants direct financial execution authority.