standards

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow explicitly instructs agents to fetch registration JSON hosted on IPFS or arbitrary web servers (e.g., .well-known/agent-registration.json and service endpoints like https://agent.example/.well-known/agent-card.json) and to call those advertised endpoints (x402 flows), meaning untrusted third-party content is retrieved and can directly influence payments, tool use, and next actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly describes protocols, SDKs, and code for on-chain payments and settlement: x402 HTTP payment flow, EIP-3009 "transferWithAuthorization", client code that signs payments with a wallet/private key, server middleware and facilitator endpoints that verify and submit on-chain settlement transactions. These are specific tools/APIs for executing crypto payments (signing and submitting transfers), not generic utilities, so it grants direct financial execution authority.