blockchain-auditor

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md) explicitly fetches and ingests public third-party content—e.g., Etherscan API calls (curl "https://api.etherscan.io/..."), 4byte.directory lookups, and arbitrary RPC/URL fetches via cast/ curl—then instructs the agent to analyze that content and drive follow-up actions (analysis, fork tests, exploits), which enables indirect prompt injection from untrusted web sources.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's environment setup includes a required installer invoked as "curl -L https://foundry.paradigm.xyz | bash", which fetches and executes remote code (Foundry) at runtime, so it is a high-confidence execution-risk dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly focused on interacting with blockchain networks to discover and validate ways to extract funds. It includes concrete, crypto-specific transaction commands and workflows (e.g., cast send <target> ... --private-key $PRIVATE_KEY, forge test fork exploits, vm.prank + target.call(...), checks for balance transfers, and PoC exploit scripts that verify/perform fund extraction). These are not generic tools — they are blockchain transaction and wallet execution capabilities (signing/sending transactions, validating fund movement), and the skill even provides an "Execution Script" to send transactions. Therefore it grants direct crypto/financial execution authority.