clawnet-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly describes the CLI fetching files from the public ORDFS content endpoint (https://ordfs.network/content/{manifestTxid}/...) and accepting remote icon URLs, meaning the agent reads untrusted, user-hosted content as part of its fetch/publish workflows which could indirectly inject instructions and influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly references wallet and vault libraries (@1sat/wallet-mac, @1sat/vault) and a SecureEnclaveProvider for key management and secure signing. These components are specific to crypto key storage/signing (wallet functionality), which enable signing and therefore executing blockchain transactions. Even though the prompt doesn't show a send-transaction command, the inclusion of wallet/vault APIs and secure enclave signing is a specific crypto-capability that qualifies as Direct Financial Execution under the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion.