ton-swap

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow (SKILL.md steps 1–3) explicitly calls get_known_jettons and get_swap_quote against a DEX aggregator to fetch token addresses and swap quotes, which the agent must read/interpret (and then emulate/send transactions) so untrusted third-party quote/content can directly change actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform token swaps on the TON blockchain and contains direct transaction execution APIs. It includes a flow to obtain a swap quote, emulate the transaction, then "execute" the swap by calling send_raw_transaction with transaction messages, poll transaction status, and even create/use wallets. These are specific crypto/blockchain financial operations (wallet management, signing/sending transactions, swapping tokens), so it grants direct financial execution authority.