intuition

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to query public, user-generated GraphQL endpoints (e.g., https://mainnet.intuition.sh/v1/graphql and testnet) and to perform pin mutations via reference/graphql-queries.md and reference/schemas.md, treating returned atom/triple metadata and IPFS URIs as inputs that the agent must read and that directly influence which term IDs, predicates, and on-chain transactions to create — i.e., untrusted third‑party content is consumed in required workflows and can change agent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to construct and execute on-chain financial transactions for the Intuition protocol. It provides write ABIs and concrete payable functions (createAtoms, createTriples, deposit, depositBatch, redeem, redeemBatch), exact contract addresses and chain IDs, value/msg.value calculation rules, and an unsigned-transaction JSON output contract intended to be signed and broadcast by a wallet. It requires a funded wallet, RPC access, and details how to compute and send TRUST/tTRUST as msg.value. The autonomous-mode policy and signer entrypoints further document unattended signing/broadcast controls. These are specific crypto/blockchain financial operations (moving native token value, minting shares, depositing/redeeming), not generic tooling, so this qualifies as Direct Financial Execution capability.