hub-swap-planner

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill clearly ingests and acts on untrusted public third‑party data — e.g., it queries hub-api.pancakeswap.com, api.dexscreener.com, api.geckoterminal.com and external token lists/raw.githubusercontent.com during token discovery, quoting, and calldata generation, and those external fields (names/symbols, routes, calldata) directly influence routing, link/tx creation, and next actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built for crypto token swaps via PancakeSwap's Hub: it calls the Hub API (/quote and /calldata) to produce transaction calldata/value, constructs EIP-681 URIs and Trust Wallet send deep links (which invoke native transaction signing), and returns headless JSON payloads containing txTo, txValue, and txData. Although it states "does not execute swaps", it generates ready-to-sign transaction payloads and even attempts to open deep links that trigger wallet signing—behavior that directly enables on-chain financial execution. These are specific crypto/transaction tools (router address, calldata, tx value, Trust Wallet send link), so it meets the criteria for Direct Financial Execution.