yield-agentkit-privy

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly calls the remote Yield.xyz AgentKit MCP (https://mcp.yield.xyz/mcp) and Privy APIs to fetch yields, schemas, balances, pendingActions and unsignedTransaction objects that the agent must read and act on as part of its mandatory workflow (see SKILL.md and references/*), so untrusted third‑party responses can directly influence transaction construction and execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill at runtime calls the external MCP endpoint (https://mcp.yield.xyz/mcp) to fetch required unsignedTransaction objects that determine on‑chain actions and then submits them to Privy's runtime signing API (https://api.privy.io), so these URLs are required runtime dependencies that directly control executed transactions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for executing DeFi transactions. It integrates Yield.xyz to build unsigned transactions and Privy to hold keys, sign, and broadcast those transactions. The prompt includes explicit API calls (POST https://api.privy.io/v1/wallets/{PRIVY_WALLET_ID}/rpc with methods like "eth_sendTransaction" and "signAndSendTransaction"), wallet creation/listing, policy management, balance checks, and autonomous signing/broadcasting workflows. These are concrete crypto wallet/signing/broadcasting capabilities (moving funds), not generic tooling.