coinbase-agentkit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md documents Social Actions (twitterActionProvider and farcasterActionProvider) and other third‑party action providers that fetch/read social media and public API data as runtime tools the agent can call, meaning the agent will ingest untrusted, user‑generated content that could influence its decisions and tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for on-chain financial operations. It exposes wallet providers (CDP, Viem, smart contract wallets), transaction signing and wallet export, and many concrete actions that move value: nativeTransfer, erc20.transfer, swaps/tradeTokens (CDP/0x/jupiter), bridgeTokens, buyMemecoin/sellMemecoin, compound/morpho supply/withdraw/borrow/repay, createFlow/updateFlow/deleteFlow, minting/transfers of tokens/NFTs, and examples where an LLM agent is instructed to send ETH. It requires CDP API keys and provides server-side signing/configuration, so agents using this skill can directly execute financial transactions. These are specific payment/crypto transaction capabilities, not generic tooling.