celestia

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill clearly ingests untrusted peer-provided content from the DA network—e.g., ExtendedHeaders via HeaderSub and p2p.Exchange, share/EDS data via DAS/GetSharesByNamespace, P2P-discovered state responses via P2PAccess, and BEFP fraud proofs via pubsub (see references/core-headers.md, core-shares-and-das.md, features-p2p-discovery.md, features-fraud-proofs.md)—and the agent is expected to read and act on that content (syncing, sampling/repair, state queries, halting on fraud), which could materially change behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for operating a Celestia blockchain node and includes APIs to submit transactions: SubmitTx, SubmitPayForBlob, Transfer and staking operations. Those are blockchain transaction primitives (sending transactions/payments and transferring funds), i.e., direct financial execution on-chain—not generic tooling. Therefore it grants direct crypto/transaction execution capability.