ens-primary-name

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Scripts (scripts/set-avatar.sh, scripts/set-primary.sh, and scripts/verify-primary.sh) make live queries to public third‑party endpoints (e.g., https://api.thegraph.com/subgraphs/name/ensdomains/ens, public RPC URLs like https://eth.publicnode.com and https://mainnet.base.org, and thirdweb APIs) and then parse that user-controlled ENS/resolver and on‑chain text data to determine transaction recipients, calldata, and verification flow, so untrusted, user-generated content can materially influence tool actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs on-chain transaction signing and submission for ENS operations. It requires the Bankr CLI for transaction signing (examples show bankr prompt and a full transaction JSON: {"to":"0x...","data":"0x...","value":"0","chainId":8453}), encodes calldata (setName) and submits transactions to Reverse Registrar contracts on specific chains, and requires native tokens for gas. These are specific crypto/blockchain wallet & signing capabilities (not generic browser or HTTP tools), so it grants direct financial execution authority.