ika-operator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md explicitly instructs operators to fetch canonical package/object IDs from public GitHub files (e.g., deployed_contracts/mainnet/address.yaml in the linked repo) and to populate node configs from those external files, meaning the agent is expected to read/interpret untrusted public web content that can materially change runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The guide explicitly directs operators to download and run binaries from https://github.com/dwallet-labs/ika/releases (and to fetch package IDs from the repo), which means remote executable code is fetched and executed as a required dependency at setup/runtime, creating a clear runtime external-code execution risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for operating blockchain validator nodes and includes concrete, crypto-specific actions: generating/handling keypairs (including irreplaceable root-seed), MPC signing services, Sui keypairs and Sui CLI usage, commands to register a validator candidate, a CLI command to join the committee, and an explicit staking step ("Stake at least 40 million IKA via: https://..."). These are specific crypto/blockchain operations that enable on-chain staking and signing (i.e., moving/control of crypto assets), not generic tooling. Therefore it grants direct financial execution capability.