public-relayer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and consume data from public relayer endpoints (e.g., POST to https://relayer.1shotapi.com/relayers via relayer_getCapabilities and relayer_getFeeData and GET https://relayer.1shotapi.com/.well-known/jwks.json) and to use those returned values (targetAddress, context, tokens, JWKS) to build, sign, and submit transactions, so untrusted third-party content can directly alter the agent's actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to construct, sign, and submit blockchain transactions and to pay relayer fees in ERC-20 tokens via the 1Shot relayer JSON-RPC API. It documents methods like relayer_send7710Transaction / relayer_send7710TransactionMultichain, relayer_getFeeData (price lock and fee computation), and relayer_getCapabilities (accepted ERC‑20 payment tokens, feeCollector, targetAddress). It instructs creating and signing EIP-7710/EIP-7702 delegations, encoding fee transfers to the feeCollector, and submitting those signed transactions — i.e., sending on-chain value and executing payments. These are specific crypto/transaction execution capabilities (wallet signing + transaction submission + ERC‑20 fee payments), so this is direct financial execution authority.