flare-fassets

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill clearly ingests untrusted, user-generated third-party content (XRPL payment memos and FDC attestation/proof and RPC responses) as part of its runtime workflow — see scripts/execute-minting.ts (fetching VERIFIER_URL_TESTNET and COSTON2_DA_LAYER_URL to obtain FDC proofs), scripts/xrp-payment.ts (XRPL memos/payment references), and the SKILL.md warnings about payment references/FDC proofs being untrusted — and those inputs directly drive actions like executeMinting(), so they could enable indirect prompt injection if mishandled.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill documents explicit crypto financial operations and specific contract/API calls that can move value: it references AssetManager functions like reserveCollateral, executeMinting, redeem, token approve, minting/redemption flows, gasless (EIP-712) payment/relayer flows, and provides scripts and guidance to call those write functions. Even though the skill states it is reference-only and recommends human-in-the-loop controls, it exposes concrete blockchain transaction APIs and write operations that enable direct value transfer (minting/redeeming FXRP etc.). Under the core rule (crypto/blockchain functions such as wallets/signing/transactions), this is a direct financial execution capability.