contract-learner

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches verified contract ABIs from the public Etherscan API (and uses public RPC endpoints) and directly parses that untrusted third‑party ABI data to categorize functions and generate executable SKILL.md files, so external ABI content can materially change the agent's calldata, function classification, and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill fetches verified contract ABIs at runtime from the Etherscan API (e.g., "https://api.etherscan.io/v2/api?chainid=&module=contract&action=getabi&address=&apikey=$ETHERSCAN_API_KEY"), and those ABI JSON responses are required and directly parsed to generate the SKILL.md instructions, so remote content controls the agent's output.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to generate SKILL.md files that instruct agents how to execute blockchain transactions via a wallet backend. The generated output contains concrete, actionable commands for signing/sending transactions (e.g., "keypo-wallet send --key --to --data $CALLDATA", "keypo-wallet batch", and payable function notes with "--value "), uses cast calldata encoding for function calls, and includes token amount encoding and approve+action batching patterns. It also maps chains/RPCs and fetches ABIs to enable on-chain interactions. These are specific crypto/blockchain wallet execution capabilities (sending ETH/tokens, batching calls), so this meets the criteria for Direct Financial Execution.