zest-yield-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill fetches public, third-party data from the Hiro API (https://api.hiro.so) and via fetchCallReadOnlyFunction (reading contract functions like get-user-reserve-data and get-vault-rewards), and it parses that untrusted on-chain/API content to decide and generate supply/withdraw/claim actions, so external content can materially influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to execute on-chain financial operations: it supplies and withdraws sBTC to/from Zest Protocol, claims wSTX rewards, submits Stacks transactions (writes to chain), and includes concrete commands (run --action=supply/withdraw/claim) and an explicit MCP tool call ("zest_supply") for executing transactions. The documentation even lists mainnet txids, gas requirements, and pre-flight checks for balances. This is a specific crypto/blockchain financial integration (wallet transactions and asset movement), not a generic tool — therefore it grants direct financial execution authority.