bitget-wallet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests third-party content (notably the x402 payment flow and x402_pay.py which fetches arbitrary resource URLs as part of the pay-retry flow, and market endpoints like alpha-signals / token-info that return external media_list and social links) and requires the agent to parse that untrusted, user/third-party-provided content to decide and perform actions (e.g., signing/pay, recommending trades), creating a clear vector for indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform financial operations. It provides end-to-end crypto and RWA trading and payment capabilities (quote → confirm → makeOrder → sign → send), direct on-chain token transfers (transfer_make_sign_send.py, social_transfer_make_sign_send.py), wallet signing operations (order_sign.py, social-wallet.py sign_transaction/sign_message), gasless transfer/payment flows (x402 payments, EIP-3009, Permit2), and RWA stock trading commands. These are not generic utilities — they are specific APIs and scripts to move funds, execute market orders, and sign/send transactions. Therefore it grants Direct Financial Execution Authority.