zerion-umbra-privateTxn

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to read untrusted indexer API responses (utxo-indexer.api.umbraprivacy.com) as part of the scan/claim workflow and even tells the agent to fetch pages from the public docs site (sdk.umbraprivacy.com) with WebFetch, both of which are third-party content that can materially influence claim/retry decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent to WebFetch pages from https://sdk.umbraprivacy.com (including llms.txt/llms-full.txt) at runtime as "the source of truth" and also references a CDN-backed ZK asset provider (getCdnZkAssetProvider) which implies fetching remote proving assets that can control agent behavior or supply executable proving code, so this external site is a runtime dependency that can directly influence prompts/execute code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The skill is a Solana privacy-payments SDK with explicit, purpose-built crypto transaction APIs: signer factories, deposit/withdraw functions, UTXO create/scan/claim flows, recoverers, relayer/claim submission endpoints, and integration with wallet/CLI workflows (including an example agent prompt to swap tokens, deposit to Umbra, and create a receiver-claimable UTXO). These are direct blockchain money-movement primitives (token deposits, withdrawals, claims, and signed transactions), i.e., explicit crypto/ledger execution capability.