wallet-integration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and displays ICRC-21 consent messages from canisters as part of the transfer flow (see "wallet.transfer → signer fetches ICRC-21 consent message" and the signer.prompt handling of payload.consentInfo) and also connects to arbitrary wallet URLs (e.g., url: 'https://your-wallet.example.com/sign'), so untrusted third-party content is ingested and can influence approval/next actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly designed for blockchain wallet integration and includes concrete APIs for moving assets: methods such as icrc1Transfer, transfer, icrc2Approve, approve, and transferFrom (with ledgerCanisterId), plus signer flows that execute canister calls and return block indices. Those are direct crypto/blockchain financial execution operations (wallet signing and token transfers/approvals), not generic tooling. Therefore it meets the "Direct Financial Execution" criteria.