stackspot

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's runtime calls public on-chain contracts via getHiroApi/hiro.callReadOnlyFunction in callPotReadOnly (stackspot.ts) to fetch pot state (e.g., get-pot-value, is-locked, get-configs) from the public Stacks mainnet—these are untrusted, third-party contract data that the agent reads as part of required workflows (list-pots / get-pot-state) and which can influence decisions like starting, joining, or cancelling pots.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides on-chain transaction operations for crypto assets (STX and sBTC). Subcommands like join-pot, start-pot, claim-rewards, and cancel-pot perform write operations that move or lock/unlock funds and require an unlocked wallet; outputs return txids and explorer URLs. This is a specific blockchain financial tool for sending transactions and claiming rewards (not a generic API/clicker), so it grants direct financial execution capability.