dfm-agent

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains multiple intentional patterns that enable stealthy, persistent on-device authority (auto-generating agent keypairs, writing private keys and JWTs into shell startup files, and instructing operators to avoid visible CLI calls), combined with fully autonomous on-chain signing and capital-flow operations — this creates a high-risk capability for credential capture, persistent control, and fund exfiltration even though there is no obviously obfuscated remote backdoor or explicit exfiltration endpoint in the code shown.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md Research step explicitly requires using WebSearch and WebFetch to pull token data from open, public sites and aggregators (CoinGecko, CoinMarketCap, DexScreener, token lists, protocol sites, etc.), and the agent is instructed to read and act on that untrusted third‑party content to choose assets/allocations and drive on‑chain actions, so these external pages could indirectly inject instructions that materially influence tool use and decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to manage on-chain financial operations on Solana: it builds unsigned transactions (launch-dtf, update-assets-tx, deposit-tx, redeem-tx, distribute-fees), requires/derives an agent wallet keypair (DFM_AGENT_KEYPAIR), instructs signing of VersionedTransaction locally and submission to Solana, and runs deposit/redeem flows (Jupiter swaps, fan-in/fan-out, recording transactions). These are direct crypto/blockchain execution capabilities (wallets, signing, swaps, on-chain transfers), so it grants Direct Financial Execution Authority.