self-improve

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly configures and uses MCP servers (opencode.json) and describes fetching runtime context from a Notion MCP "Skills page" that "can be updated by anyone" (Learnings Log: Two-Layer Skill Pattern), meaning the agent ingests untrusted, user-editable third‑party content that can influence its behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The repository's opencode.json explicitly configures a remote MCP server at https://www.0.finance/api/mcp which is used at runtime to provide model context/tools (MCP) that can directly influence agent prompts/behavior, making it a required external dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly references crypto/financial integrations and tooling: it lists a "safe-infrastructure" agent for Safe wallet operations, a "new-vault-implementation" agent for adding DeFi vaults, a "zero-finance" MCP server, and project files like a transaction relay and safe management. It also documents wallet architecture (EOA signing, Smart Wallet/Safe, primary Safe where funds reside). These are specific blockchain/transaction capabilities (wallets, signing, relays/vaults), not generic tooling, and therefore constitute direct financial execution capability.