coinone-openapi

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The repository's GitHub Actions workflow (.github/workflows/check-api-updates.yml) explicitly fetches the public RSS feed (https://docs.coinone.co.kr/changelog.rss) into /tmp/changelog-entries.json and then invokes the Claude agent with a direct_prompt that tells it to read that file and create issues/modify docs, so external public changelog content can directly drive agent decisions and edits.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The GitHub workflow and scripts fetch https://docs.coinone.co.kr/changelog.rss at runtime (via check-changelog.py and a curl in the update-docs job) and the fetched JSON/RSS is written to /tmp/changelog-entries.json which the Claude agent is explicitly instructed in direct_prompt to read and act on, so remote content directly controls the agent's behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built for a cryptocurrency exchange (Coinone) and includes private REST and WebSocket APIs, authentication/signing rules, nonce requirements, and an "order placement" procedure with an order-safety reference. It prescribes headers for private requests (X-COINONE-PAYLOAD, X-COINONE-SIGNATURE), exact API endpoints, and safety/ retry guidance for sending private order requests. These are specific, actionable integrations for executing crypto trades and other private account actions — i.e., direct financial execution capability.