flare-fassets

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's runtime guidance and resource scripts explicitly fetch and ingest untrusted, user-provided third-party data — e.g., scripts/execute-minting.ts calls VERIFIER_URL_TESTNET and COSTON2_DA_LAYER_URL to retrieve FDC attestations/proofs used to drive executeMinting, and the agent-details guide reads on-chain agent metadata (name/description/icon/terms URLs) — which the workflow treats as inputs that materially influence actions (minting/redeeming) and therefore could enable indirect prompt-injection if mishandled.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is specifically focused on crypto financial operations (Flare FAssets minting and redemption) and documents explicit on-chain state-changing functions and developer scripts: e.g. reserveCollateral, executeMinting, redeem, token approve, executeTransaction (MasterAccountController), and example scripts that can broadcast when DRY_RUN=false. Although the SKILL states it will not sign/broadcast or hold keys, it explicitly documents the concrete contract calls, contract addresses, and runnable scripts for moving value on-chain. That makes it a specific crypto/transaction-focused integration rather than a generic tool, so it meets the "Direct Financial Execution" criterion.