stackspot

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill calls public on-chain contracts via getHiroApi/callReadOnlyFunction (see callPotReadOnly in stackspot.ts) and SKILL.md/AGENT.md describe using get-pot-state/list-pots to read arbitrary pot contract state (user-supplied contract names), so untrusted third-party on-chain data is read and used to decide joins/starts/cancels and other actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides on-chain transaction operations for crypto assets (STX and sBTC). Subcommands like join-pot, start-pot, claim-rewards, and cancel-pot perform write operations that move or lock/unlock funds and require an unlocked wallet; outputs return txids and explorer URLs. This is a specific blockchain financial tool for sending transactions and claiming rewards (not a generic API/clicker), so it grants direct financial execution capability.