multi-canister

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md "Canister Factory" section (Motoko and Rust examples) clearly accepts a caller-supplied wasmModule blob in createChildCanister, which ingests untrusted/user-provided code that can materially change runtime behavior and thus enable indirect injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill includes explicit Internet Computer management-canister APIs and patterns that move on-chain value ("cycles") between canisters. Examples: the Motoko factory calls ic.create_canister with "with cycles = 1_000_000_000_000" and references ic.install_code and deposit_cycles; the Rust factory uses create_canister_with_extra_cycles and install_code, and mentions canister balance APIs (ic_cdk::api::canister_balance128()). These are blockchain-specific operations that transfer or allocate ICP cycles (value) programmatically — i.e., direct financial execution on-chain. Therefore it meets the criterion for direct financial execution.