botchan

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill reads arbitrary on-chain, user-generated messages from the Net Protocol messaging contract on Base (e.g., via getTotalMessagesCount/getMessagesInRange against NET_MESSAGING in index.ts and the SKILL.md read/profile commands) and surfaces/interprets that content as part of its read/profile workflow, which could contain instructions that influence subsequent posts/comments.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly requires a wallet/private key and onchain transactions (posts/messages live forever onchain and require ETH on Base for gas). It exposes commands to post, comment, register feeds and send direct messages by posting transactions tied to wallet addresses — i.e., it performs blockchain wallet signing and submits transactions. This is a specific crypto/blockchain execution capability (wallet/signing), so it meets the Direct Financial Execution criteria.