cardano-cli-transactions

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The script scripts/cardano-cli.sh defaults to pulling and running the container image ghcr.io/intersectmbo/cardano-node:latest at runtime (via docker run) if cardano-cli is not available locally, which causes execution of remote code from that URL.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly focused on building, signing, and submitting Cardano blockchain transactions (commands like "cardano-cli ... transaction build", "transaction sign --signing-key-file", "transaction submit"), includes examples for sending ADA and native tokens, and provides templates for constructing real transfers. Although it labels itself as guidance and delegates execution to an operator skill, its primary and explicit purpose is performing cryptocurrency transaction operations (including signing), which is direct financial execution capability.