opentrade-cex

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md Cross-Skill Workflows (Workflow C: "News-Driven CEX Trading") explicitly instructs the agent to call [opennews] and [opentwitter] to "Search crypto news" and "Check KOL sentiment" (public news and social media), and then use those third‑party, user-generated texts to decide and execute CEX trades, exposing the agent to untrusted external content that can materially influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a centralized-exchange trading integration with server-side execution. It defines endpoints and workflows to place and cancel orders (POST /orders, DELETE /orders/:orderId), close positions (POST /positions/close), set leverage (PUT /leverage/current), update exchange API credentials (PUT /config with apiKey/secret), and other write operations that directly execute trades and modify trading state. These are concrete financial execution actions (market/limit orders, position management, leverage changes), not generic tooling. Therefore it grants direct financial execution authority.