defi-lending

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill clearly fetches lending-pool data from a third-party service (see SKILL.md Providers and the scripts that call getAllPools in scripts/list-pools.js / surf-client.js, and SKILL.md notes "Surf API returns unsigned CBOR"), and that external pool data is read and used to decide supply/borrow actions—so untrusted third-party content can materially influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to perform crypto financial operations on Cardano: it lists capabilities to "Supply assets to earn APY" and "Borrow against collateral", provides concrete scripts (node scripts/supply.js and node scripts/borrow.js) that accept a bech32 address, poolId and amount (lovelace), and instructs to "Use defi-lending-operator to execute transactions." It also states "Surf API returns unsigned CBOR directly — sign and submit via operator." These elements show the skill is intended to create, sign, and submit blockchain transactions (crypto wallet/transaction execution) rather than being a generic tool. This matches the Core Rule category for Crypto/Blockchain (wallets, signing, swaps) and thus constitutes direct financial execution authority.