payments-and-wallets

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflow explicitly instructs the agent to "locate relevant documentation and examples" and to spawn a read-only subagent scoped to "skill references, example repos, and docs" (e.g., the GitHub examples link and zkcompression.com docs in Resources), which requires fetching and interpreting public third-party content that can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs installing/loading external skills at runtime (e.g., "npx skills add Lightprotocol/skills" and subagents "load skills via Skill tool"), so fetching the GitHub repo https://github.com/Lightprotocol/skills could deliver code/skill content that directly controls agent instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for payments and wallet integrations on Solana and exposes specific financial operations and APIs: functions for transferring tokens (transferInterface, createTransferInterfaceInstructions), creating transaction instructions, loading/creating token accounts (loadAta, createLoadAtaInstructions), wrapping/ unwrapping tokens (wrap/unwrap), creating mints, and retrieving/send history and balances. It also documents client-side and Privy signing flows (including PRIVY_APP_SECRET and TREASURY_AUTHORIZATION_KEY) which are used to sign and execute on-chain transactions. These are concrete tools to move value, not generic utilities, so it grants direct financial execution capability.