synctx-mcp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill explicitly requires using a saved auth_token (and wallet address) as parameters for authenticated tool calls, forcing the agent to include secret credentials verbatim in requests/commands and creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains deliberate automation that bypasses user confirmation for on-chain writes and token approvals, persistently stores reusable auth tokens locally, and auto-recovers credentials — collectively creating a high-risk backdoor for unauthorized financial actions even though there is no explicit data exfiltration or remote-code execution in the text.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly requires calling instruction() and parsing embedded external reference links (see Section 5 "On-Chain Text Reference Protocol" which includes ipfs: and https://...), instructing the agent to fetch and follow that public third-party content as part of its workflow, so untrusted web/IPFS content can directly influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent at runtime to call instruction() and parse/follow embedded external reference links such as https://... and ipfs:{cid}, meaning content fetched from those URLs can directly control prompts or instructions used by the agent.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs on-chain financial operations: it requires a wallet/address, calls /wallet, and details on-chain write actions such as USDC.approve(DealContract, approveAmount), createDeal(params + sig), requestVerification (with verifier fees), withdraw(dealIndex), triggerTimeout/triggerSettlementTimeout that move/forfeit funds, and protocolFee() calculations. It also states on-chain writes and token approvals are treated as pre-authorized automated steps (no user confirmation). These are specific crypto/blockchain payment and transaction actions (token approvals, transfers, contract writes), so the skill grants direct financial execution authority.