skyfire

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md Workflow (sections "Discover Services and Tags" and "Integrate Skyfire MCP in Agent Workflows") instructs agents to call public directory and MCP endpoints (e.g., https://api.skyfire.xyz/api/v1/directory/... and external MCP servers like https://mcp.dappier.com/mcp) and to ingest seller-provided fields such as openApiSpecUrl/websiteUrl, which the agent must read and act on to choose services, create tokens, and call downstream tools—exposing it to untrusted third-party content that can influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly focused on payment/token operations: it defines payment-capable tokens (pay, kya+pay), instructions for creating buyer tokens, token introspection, seller acceptance of tokens, and explicit "charge" endpoints and balance checks. It references a "Charge Token" API and workflows for charging payment-capable tokens, which constitute direct financial transaction capabilities. This is a specific financial-execution tool, not a generic interface.