openfin-hyperliquid

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly calls public Hyperliquid endpoints (e.g., GET /market/outcome-meta, /market/perp-categories, /market/metas) that return question/outcome names, descriptions and market metadata which the agent is instructed to read and use for discovery and trading, so untrusted/user-generated third-party content could influence decisions and subsequent tool actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading integration for Hyperliquid with dedicated endpoints and actions that move funds and place market orders. It exposes specific write APIs such as POST /agent/trading/orders (place orders), DELETE /agent/trading/orders (cancel), PUT /agent/trading/orders/:oid (modify), POST /agent/trading/twap (execute TWAP trades), POST /agent/trading/leverage and /margin (change risk/leverage), POST /agent/trading/withdraw or withdraw_to_arbitrum (burn HL USDC and payout to Arbitrum), POST /outcome/split, /merge, /negate (mint/burn outcome collateral USDH), and swap/spot flows for collateral. The MCP action enum includes place_order, withdraw_to_arbitrum, update_leverage, place_twap_order, split_outcome, merge_outcome, etc. This is not a generic HTTP/tooling surface — it is specifically designed to execute financial transactions, trades, and withdrawals. Under the decision logic (is the tool's primary and explicit definition to move money?), this qualifies as Direct Financial Execution.