zerion

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's workflow (SKILL.md) explicitly instructs the agent to call external Zerion APIs and pay-per-call endpoints (e.g., zerion portfolio, zerion chains, x402.org, mpp.dev and developers.zerion.io) to fetch live, public blockchain/analytics data which the agent is expected to read and use for analysis or trading decisions, exposing it to untrusted third-party content that could influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto wallet API/CLI with built-in trading and wallet management capabilities. The prompt names specific transaction actions ("swap", "bridge", "send tokens"), wallet creation/import/backup/delete, signing, and "Set up agent tokens + policies for autonomous trading." It references API keys and agent tokens for trading and describes private-key usage for signing and sending transactions across multiple chains. These are specific crypto/blockchain financial execution functions (wallet management, signing, broadcasting/swapping/sending assets), not generic tooling. Therefore it grants direct financial execution authority.