openocean

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill calls external public APIs (e.g., OPENOCEAN_BASE "https://open-api.openocean.finance/v4" via proxied_get in _api_get and optionally Debank's "https://pro-openapi.debank.com/v1/user/token_list") and directly consumes those responses in openocean_quote and openocean_swap to construct and execute wallet transfers (including tx "to", "data", "value", and approval logic), so third-party content can materially influence agent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform crypto financial operations: it provides functions to get quotes and to execute swaps (openocean_swap), includes a built-in ERC20 approval flow that will send approve transactions, and uses a wallet runtime (/agent/transfer) to broadcast transactions. It performs signing/broadcasting of blockchain transactions and verifies balance deltas. These are specific crypto/Blockchain wallet and transaction capabilities (move money), not generic tooling.