openfin-launchpad

Warn

Audited by Snyk on Jun 27, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.72). The required runtime workflow includes GET /agent/launchpad/tokens (public “explore feed”) which returns outsider-authored token metadata fields like description, website, twitter, telegram, and externalUrl from the platform’s listings; these are readable free-text from parties other than the operating user and can be injected into the agent’s LLM context when the agent displays/uses the feed content.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly a Solana token launchpad with on-chain write operations that move value: it can mint tokens with a paid launch fee (launch_token), perform swaps (buy / sell with quoted amounts and returned transaction signatures), execute an atomic creator "dev buy" (initialBuySol), migrate reserves into an AMM (transferring funds) and withdraw creator fees to the caller's Solana wallet (claim_creator_fees). These are concrete crypto/blockchain transaction APIs (returns signatures, require wallet and SOL) — i.e., direct financial execution capability.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 27, 2026, 07:02 PM
Issues
2
Security Audit — snyk — openfin-launchpad