helius-phantom

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow (SKILL.md plus references/helius-das.md and the WebSockets/Enhanced Transactions docs) explicitly requires calling Helius APIs (e.g., getAssetsByOwner, parseTransactions, getWalletHistory, transactionSubscribe) which ingest public, user-generated off-chain metadata (Arweave/IPFS) and live third‑party data that the agent must read and that can materially influence actions (token gating, transaction parsing/submission, WebSocket-driven behaviors), so it exposes the agent to untrusted third-party content.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for crypto financial operations on Solana: it instructs signing and submitting transactions (transfer SOL/SPL tokens, mint NFTs, accept crypto payments), uses Helius Sender endpoints and MCP tools (getPriorityFeeEstimate, getSenderInfo, parseTransactions, etc.), and describes building swap UIs and payment/checkout flows. These are direct blockchain transaction and payment capabilities (crypto/blockchain wallets, signing, submitting), so it grants direct financial execution authority.