openfin-polymarket

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly calls public Polymarket endpoints (e.g., /public-search and /events per the "Research → trade workflow") that return user-generated market titles/metadata which the agent is expected to read and use (extract token_id/market info) to drive trading actions, so untrusted third-party content can materially influence decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes trading and fund-transfer endpoints: POST /order, POST /order/market, POST /orders (batch), DELETE /orders/all (bulk cancel), and POST /agent/polymarket/deposit-wallet/withdraw-and-bridge (cash out/bridge pUSD). These endpoints perform on-chain/orderbook actions and move value (place market/limit orders, cancel orders, withdraw/bridge user funds). The skill is specifically designed for financial operations (trading and transferring tokens), not a generic tool, so it grants direct financial execution authority.