cattown

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and interprets public, unauthenticated endpoints (e.g., GET https://api.cat.town/v2/items/master, GET https://api.cat.town/v2/items/capsule/, GET https://api.cat.town/v1/tickets/leaderboard, and the inventory endpoints) whose responses include user-provided fields (leaderboard basenames/equipment, inventory/capsule items, etc.), and SKILL.md shows the agent must read and act on that data (compute odds, decide follow-up actions, poll for gacha results, offer sells), so untrusted third-party content can materially influence tool use/decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes onchain write flows that transfer value and control token movement: staking/unstaking KIBBLE (with approve/allowance handling), claim/claimAndRestake, unlock/relock, purchaseAndOpenCapsule (payable gacha pulls that deduct KIBBLE and require ETH for VRF fees), SellItems.sellMultipleNFTsToContract (sell NFTs for KIBBLE), and claimFreeTicket. It includes contract addresses, calldata examples, preflight checks (allowance, balances, vendor liquidity), payout/tax math, and explicit submission commands via the Bankr wallet/agent. It also references swaps to convert KIBBLE→ETH for gas. These are concrete crypto/blockchain financial operations (wallet signing, token transfers, swaps, payouts), not generic tooling — therefore it grants direct financial execution capability.