solana-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs using Surfpool which "lazily fetches" mainnet account state and supports RPC methods that re-fetch remote data and register IDLs (see surfpool.md and surfpool-cheatcodes.md: e.g., "accounts are lazily fetched from a remote RPC" and surfnet_registerIdl/surfnet_resetAccount), meaning the agent will ingest untrusted public RPC/IDL/account data that can change how it builds transactions and acts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly focused on Solana blockchain development and includes wallet connection + signing flows, "transaction building / sending / confirmation UX", explicit notes about fee payer, recent blockhash, signers, token program variants, and references to "Payments" and "Confidential transfers" docs. Those are specific crypto capabilities for creating, signing, and sending on-chain transactions (i.e., moving funds). This is not a generic toolset—it's designed to perform blockchain transaction execution and wallet signing—so it constitutes Direct Financial Execution capability.