switchboard

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's examples and workflow explicitly fetch and consume data from public, third-party endpoints (e.g., Crossbar at https://crossbar.switchboard.xyz, Surge WebSocket wss://surge.switchboard.xyz, and feeds created via https://app.switchboard.xyz), and those oracle/HTTP-sourced responses are used to build transaction instructions and drive program behavior (e.g., fetchUpdateIx / fetchQuoteIx), so untrusted external content can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The examples initialize a CrossbarClient pointing to https://crossbar.switchboard.xyz and call it at runtime to fetch oracle signatures/responses that are injected into transaction instructions (i.e., remote content directly controls the instructions the skill builds and executes), and the skill depends on that endpoint.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is a purpose-built Solana crypto SDK (Switchboard) with explicit APIs and examples for interacting with wallets, building and signing transactions, and sending them on-chain. The docs show useWallet/Keypair, creating instructions (pullIx), assembling transactions (asV0Tx / Transaction), and calling connection.sendTransaction(tx). It also includes program IDs, deploy/build feeds to mainnet, and RandomnessService.create with callback program IDs — all concrete blockchain operations (wallets, signing, submitting transactions). Per the rule that crypto/blockchain capabilities (wallets, signing, swaps) constitute Direct Financial Execution, this skill provides specific, non-generic tools to execute on-chain operations and thus should be flagged.