opensea

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md files explicitly require fetching and consuming public OpenSea API/MCP responses (opensea-api, opensea-marketplace, opensea-swaps) which include user-generated NFT metadata and order fields, and the opensea-tool-sdk workflow/CLI explicitly fetches tool manifests from arbitrary metadata URLs (--metadata) — both are untrusted third‑party content that the agent reads and that can directly influence actions like fulfillment, swap execution, or onchain tool registration.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The opensea-tool-sdk register flow explicitly fetches an external manifest URL at runtime (e.g., https://my-tool.example.com/.well-known/ai-tool/my-tool.json), and that manifest directly defines the tool's inputs/outputs and access policy which will control agent prompts and behavior—so this is a runtime external dependency that can control agent instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides transactional crypto capabilities: it can trade NFTs on Seaport (buy/sell, sweeps, fulfill listings), swap ERC‑20 tokens via a DEX aggregator, and configure wallet signing providers (Privy/Turnkey/Fireblocks/Bankr). The router also directs to sub-skills for write operations (buy/sell/make offers) and token swaps, so this is specifically designed to initiate on‑chain financial transactions and signing, not a generic tool. These map directly to "Crypto/Blockchain (Wallets, Swaps, Signing)" and "Market Orders" in the core rule.