cesto-creator-toolkit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required research flow (references/research-flow.md) explicitly instructs the agent to use WebSearch for ecosystem mapping and the bundled scripts (search_predictions.py, get_prediction_detail.py, fetch_tokens.py and upload_thumbnail.py) fetch data from public endpoints (prediction events/markets, Jupiter price API, and arbitrary image URLs), meaning the agent ingests untrusted, user-generated or public web content and uses it to select tokens/markets and build workflows that drive subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform crypto financial operations. It defines swap nodes (swap.token) with from/to token mints, amounts, slippage, and recipient/userWallet fields; prediction purchase nodes (prediction.open) that buy YES/NO positions; and a final transaction.submit node ("Submit swap + prediction transactions"). It provides authenticated scripts to create/rebalance baskets and submit payloads (create_basket.py, rebalance_basket.py, transaction.submit), and the workflow uses USDC mint and token allocations. These are specific mechanisms to execute token swaps and open prediction-market positions (i.e., move funds / place financial orders), not generic tooling. Therefore it grants Direct Financial Execution authority.