CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-skill-index-evals/jup-ag__agent-skills__integrating-jupiter

Comprehensive guidance for integrating Jupiter APIs (Ultra Swap, Lend, Perps, Trigger, Recurring, Tokens, Price, Portfolio, Prediction Markets, Send, Studio, Lock, Routing).

86

1.85x
Quality

83%

Does it follow best practices?

Impact

91%

1.85x

Average score across 5 eval scenarios

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

Security

2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.

Medium

W012: Unverifiable external dependency detected (runtime URL that controls agent)

What this means

The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.

Why it was flagged

Potentially malicious external URL detected (high risk: 0.90). The skill's "Fresh Context Policy" explicitly requires fetching external docs/OpenAPI specs at runtime and treating them as the source of truth—e.g., https://dev.jup.ag/openapi-spec/ultra/ultra.yaml—which means remote content would directly control the agent's instructions.

Report incorrect finding
Medium

W009: Direct money access capability detected (payment gateways, crypto, banking)

What this means

The skill is specifically designed for direct financial operations, giving the agent the ability to move money or execute financial transactions — such as payment processing, cryptocurrency operations, banking integrations, or market order execution.

Why it was flagged

Direct money access detected (high risk: 1.00). The skill is explicitly a Jupiter crypto integration: it documents swap/quote endpoints (Ultra Swap GET /order -> POST /execute), order/limit/recurring endpoints (Trigger /createOrder + /execute, Recurring /createOrder + /execute), lending endpoints that return unsigned VersionedTransactions (/earn/deposit, /earn/withdraw), send endpoints (/craft-send, /craft-clawback), and other market/order endpoints (prediction markets /orders). The prompt even includes a signAndSend implementation (signing VersionedTransaction with a Keypair and sending to RPC). These are specific crypto transaction/asset operations (swaps, sends, order execution, signing), i.e. direct financial execution capability.

Report incorrect finding
Audited
Security analysis
Snyk