zest-auto-repay

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly fetches on-chain position and wallet data from public Hiro APIs (see getZestPosition/callReadOnly and preflight fetching https://api.hiro.so and https://api.hiro.so/extended/v1/address/...), and it consumes those public, user-controlled on-chain values to compute LTV and drive repay/emergency-repay decisions and emitted MCP commands, so untrusted third‑party content can materially influence agent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial actions: it is a WRITE skill for Zest Protocol on Stacks that computes and executes repayments (including emergency repayments) via a named tool (zest_repay MCP tool), requires/unlocks a wallet, emits on-chain repayment transactions (or MCP commands that the agent framework will execute), and supports on-behalf-of repayments. This directly meets the "Crypto/Blockchain (Wallets, Swaps, Signing)" and "Send Transaction" criteria for Direct Financial Execution. Safety caps do not remove the ability to move funds.