extension-functions-best-practices

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to extract and ingest arbitrary public webpage content (e.g., rules/ai.md "Content Extraction" using Readability/document.cloneNode and rules/chrome-built-in-ai.md and rules/ai.md summarizer/OpenAI calls that send page content to LLMs, and rules/translation.md's translatePage), and then uses that untrusted content to drive summaries, prompts, API calls, or follow-up actions—so third‑party pages can materially influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes a "Web3 Wallet" feature category that lists wallet management, transaction signing, DApp connection, and multi-chain support. It references wallet projects (MetaMask, Rabby, Rainbow), crypto libraries (ethers.js, viem) and standards (EIP-1193, EIP-712) — all of which are specific tools/APIs for signing and submitting blockchain transactions. This is direct crypto/blockchain financial execution capability.