solana-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill instructs the agent to fetch and act on public, user-controlled on‑chain and web data (e.g., token-2022.md shows resolving extra account metas from on‑chain meta lists via addExtraAccountMetasForExecute and calls like getTokenMetadata/getMint/getAccount and anchor idl fetch), so untrusted third‑party content is read and can materially change transaction construction and subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly centered on Solana development and includes many protocol- and payment-specific subskills that perform on-chain value operations. It references swaps, limit orders, AMMs, order-book DEX, bridging, lending, margin/perpetuals, Solana Pay (Commerce Kit, Kora), Phantom Connect (wallet connection), Squads (multisig), and other DeFi integrations (Jupiter, Drift, Raydium, Orca, DeBridge, Manifest, dFlow, etc.). These are specific crypto/financial APIs and primitives for sending transactions, swapping tokens, bridging assets, and executing market orders — i.e., direct financial execution capabilities.