icp-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to fetch and cite public web documentation and repositories (see the "Tool calls" section with WebFetch URLs like https://dfinity.github.io/icp-cli/, GitHub links, and a forum post https://forum.dfinity.org/...), and those external, user-hosted pages (including the forum and remote recipe URLs) would be read and could change command/recipe-driven behavior—exposing the agent to untrusted third-party content that could enable indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for the ICP blockchain CLI and documents concrete, built-in commands to move value: token transfers and cycles transfers/top-ups. It includes commands like icp token transfer --to <AccountIdentifier> --amount <...>, icp cycles transfer --to <canister> --amount <...>, and icp canister top-up --amount <amount> <canister>. It also exposes obtaining ledger account IDs (icp identity account-id) and other wallet/identity operations. These are specific, purpose-built financial/cryptocurrency transaction operations (not generic API/click or code-execution tools) and therefore constitute direct financial execution capability.