metamask-agent-workflows

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). The required runtime workflow ingests outsider-authored free text via the Aave V3 GraphQL API responses (e.g., curl -s -X POST https://api.v3.aave.com/graphql ... in workflows/aave-positions.md, aave-markets.md, aave-supply.md, aave-borrow.md, aave-repay.md, aave-withdraw.md), and those responses are then formatted/presented in the agent’s LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The workflows make runtime curl requests to the Aave GraphQL endpoint (https://api.v3.aave.com/graphql) which return TransactionRequest/ApprovalRequired payloads that the skill uses directly to construct and execute on-chain transactions, so external content from that URL controls agent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform blockchain/crypto financial operations via the MetaMask CLI. Its workflows include "swap quote-review-execute", "bridge quote-review-execute", opening/closing/modifying perpetual positions, depositing/withdrawing pUSD, quoting and placing prediction orders, and Aave V3 actions (supply, withdraw, borrow, repay, toggle collateral). These are specific, actionable crypto wallet and DeFi transaction operations (i.e., sending transactions, moving assets), not generic tooling. Therefore it grants direct financial execution capability.