frontend-playbook

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to fetch and validate live public content (e.g., curl/verify https://myapp.yourname.eth.link, GATEWAY/ipfs/CID, community.bgipfs.com uploads and to "spawn a sub-agent" that opens and clicks through the deployed URL), meaning the agent will read and act on arbitrary public/user-hosted pages which can materially influence deployment decisions like setting ENS content hashes.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly instructs creating ENS subdomains and setting IPFS content hashes via on‑chain transactions and wallet confirmations ("Open Wallet → Confirm", "Two mainnet transactions", "Set IPFS Content Hash", "Create subdomain"). It also includes concrete blockchain tooling and RPC usage (cast calls, rpc-url, verifying onchain contenthash) and walkthroughs that involve approving and sending transactions from a wallet. These are specific crypto/blockchain signing and transaction actions (not generic automation), so the skill grants direct crypto financial execution capability.