openzeppelin-solidity

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's CLI and README (bin/cli.js addFromRemote / "npx oz-skills add https://github.com/…") explicitly clone arbitrary public GitHub repos and copy recognized skill files (e.g., .github/copilot-instructions.md, CLAUDE.md, .cursor/rules), so untrusted third‑party content can be fetched and injected into the agent's workspace and thereby alter the agent's behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The CLI (bin/cli.js) performs a runtime git clone of user-supplied GitHub URLs (cp.execSync(git clone --depth 1 ${url})), e.g. https://github.com/Joaco2603/Open-zepellin-skills.git, then copies files such as .github/copilot-instructions.md and CLAUDE.md into the workspace — these fetched files directly control AI assistant prompts, so this is a high-confidence runtime risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about Solidity smart-contract development for tokens, vaults, staking, and deployments. It references token minting and transfers (_mint, _transfer, _safeMint), protections for functions that transfer ETH (ReentrancyGuard, CEI), DeFi primitives (ERC4626 vaults, staking reward patterns), signature schemes (ECDSA.recover, EIP-712), oracle usage, and deployment key handling (private keys, multisig/Gnosis Safe). These are specific, crypto/blockchain financial capabilities (creating and managing on-chain value transfers and signing), not generic tooling, so it grants direct crypto/financial execution authority.