building-with-base-account

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Prolinks workflow (references/prolinks.md) explicitly decodes and executes arbitrary prolink payloads/URLs provided by users ("When a user opens a prolink URL, their Base Account app decodes and executes the request"), meaning untrusted third‑party user-generated content can be ingested and directly drive RPC calls and subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for on-chain financial operations. It documents and exposes payment-specific features: Base Pay (one-tap USDC payments, pay()), payment status checking, shareable payment links (Prolinks), subscriptions/recurring charges, batch transactions, smart wallets and signing, paymasters/gas sponsorship, sub-accounts and CDP wallet funding. It also includes security guidance for tracking transaction IDs and verifying senders. These are concrete crypto/payment APIs and flows intended to move funds or authorize transactions, not generic tooling.