jingswap

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill repeatedly fetches data from a third-party API (via jingswapGet using JINGSWAP_API, defaulting to https://faktory-dao-backend.vercel.app) — e.g., /api/auction/cycle-state and /api/auction/pyth-vaas — and the agent directly uses that untrusted response to decide actions and to construct on-chain calls (including passing fetched VAAs into settle-with-refresh), so external content can materially influence tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls runtime endpoints on https://faktory-dao-backend.vercel.app (JINGSWAP_API) — notably /api/auction/pyth-vaas — and uses the returned VAA hex blobs directly as buffer arguments to the settle-with-refresh contract call, meaning remote content from that URL directly controls on-chain execution inputs.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The skill is explicitly designed to interact with a blockchain auction contract and perform token transfers and settlement. It exposes commands to deposit STX and sBTC (deposit-stx, deposit-sbtc), cancel deposits (refunds), close deposits, trigger settlement (settle, settle-with-refresh which costs ~2 µSTX), cancel cycles, and query/inspect on-chain state. The contract address is given and the subcommands are clearly transaction-invoking operations (deposits, settlements, cancellations, closing), i.e., explicit crypto/blockchain financial execution (swaps/wallet interactions).