web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md describes using the web.surf.cascade.fyi /v1/crawl and /v1/search endpoints to fetch and return content from arbitrary public URLs and search results (pages, snippets) which the agent is instructed to read and act on, allowing untrusted third-party content to influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime calls to https://web.surf.cascade.fyi (e.g., /v1/crawl and /v1/search) to fetch arbitrary page content which is returned as markdown/html/text and can be injected into the agent's context, meaning remote content directly controls prompts and the service is a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly requires and demonstrates making USDC micropayments on Solana via the x402_payment tool (e.g., "Uses x402_payment tool for automatic USDC micropayments ($0.005/crawl, $0.01/search)" and example calls like x402_payment({...})). That is a specific crypto/payment integration (payments on Solana/mainnet), not a generic HTTP caller, and it performs financial transactions as part of normal operation. Under the rule that crypto/blockchain payment APIs count as Direct Financial Execution, this skill grants direct financial execution capability.