Description
POST /api/tools/:name accepts any tool name and passes arbitrary body input directly to executeTool(). Any authenticated user can call fund-moving tools (deposit, send, refund, sweep) directly, completely bypassing the confirmation flow that /api/command enforces.
The wallet from JWT is not injected into tool params.
File
packages/agent/src/index.ts:189-200
Fix
Either:
- Remove this endpoint entirely (force tool execution through chat/command flow)
- Or add wallet injection + dangerous tool blocklist + confirmation requirement
Priority
HIGH — confirmation flow bypass
Description
POST /api/tools/:nameaccepts any tool name and passes arbitrary body input directly toexecuteTool(). Any authenticated user can call fund-moving tools (deposit, send, refund, sweep) directly, completely bypassing the confirmation flow that/api/commandenforces.The wallet from JWT is not injected into tool params.
File
packages/agent/src/index.ts:189-200Fix
Either:
Priority
HIGH — confirmation flow bypass