opensea

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). The router’s runtime path is to read the sub-skill SKILL.md (local bundled markdown) and then execute OpenSea API/CLI/MCP calls; the only LLM-ingested free text comes from OpenSea API responses (e.g., NFT/collection/user-generated metadata) which are outsider-authored content, so indirect prompt injection is possible via those response fields.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The router explicitly references sub-skills that perform crypto financial actions: "Buy/sell NFTs on Seaport, sweeps, cross-chain" (opensea-marketplace), "Swap ERC20 tokens via DEX aggregator" (opensea-swaps), and "Configure wallet signing (Privy/Turnkey/Fireblocks/Bankr)" (opensea-wallet). These are specific, purpose-built capabilities for executing transactions, signing wallet operations, and moving value on-chain — not generic tooling. Therefore the skill grants direct financial execution authority.